ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ramesh Mani (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-1195) Ranger should allow for "select *" and "describe" on tables where user access is limited to a subset of columns.
Date Tue, 06 Dec 2016 18:39:58 GMT

    [ https://issues.apache.org/jira/browse/RANGER-1195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15726331#comment-15726331

Ramesh Mani commented on RANGER-1195:

ranger-hive-security.xml will have to have a new parameter "xasecure.hive.describetable.showcolumns.authorization.option"
which will take values - none / show-all / show-allowed / " "
"" or none   - this will result in current behavior of not showing any columns when user has
access to subset of the columns given by Ranger Hive Policy
show-all     - this will result in showing all the columns in Describe / Show Columns command
(This  is equal to having NONE as value for this param and  Ranger policy having * for  "Columns"
giving access to all columns.
show-allowed - this will show only the columns which the user has access to via ranger policy.
( This is not implemented yet in ranger, when Hive provides the hook for filtering the objects
this can be implemented and can be made as a default value when ranger plugin is enabled for
HiveServer2 Auth ) 
I shall make this as part of the documentation.

> Ranger should allow for "select *" and "describe" on tables where user access is limited
to a subset of columns.
> ----------------------------------------------------------------------------------------------------------------
>                 Key: RANGER-1195
>                 URL: https://issues.apache.org/jira/browse/RANGER-1195
>             Project: Ranger
>          Issue Type: Improvement
>          Components: plugins
>    Affects Versions: 0.5.1, 0.5.2, 0.6.0, 0.5.3, 0.6.1
>            Reporter: Michael Young
>            Assignee: Ramesh Mani
>             Fix For: 0.7.0
>         Attachments: RANGER-1195.patch
> If you create a Hive policy in Ranger which allows only a subset of columns in a table,
users are unable to "select * from tablename" or "describe tablename".  The user must know
in advance to which columns they are allowed access, but they can't use "describe" to see
a list of columns they are allowed.
> When doing either select or describe in Hive, Ranger should dynamically filter the columns
the user is not allowed to see.

This message was sent by Atlassian JIRA

View raw message