[jira] [Commented] (RANGER-1851) Enhance Ranger Hive Plugin to support authorization for KILL QUERY command

Fri, 20 Oct 2017 22:46:52 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-1851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16213749#comment-16213749
 ] 

Don Bosco Durai commented on RANGER-1851:
-----------------------------------------

I feel this is a good thing. We should consider this as a design pattern for 
our other services where we need actions at non-resource level.

Seems we have started having multiple cases, where the resources are at the 
same level (e.g. database/URL in Hive and now Service). Can we associate which 
"actions" are applicable at each top level? This will give a good experience 
for the users. This doesn't have to be part of this JIRA.


> Enhance Ranger Hive Plugin to support authorization for KILL QUERY command
> --------------------------------------------------------------------------
>
>                 Key: RANGER-1851
>                 URL: https://issues.apache.org/jira/browse/RANGER-1851
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: master, 0.7.1
>            Reporter: Ramesh Mani
>            Assignee: Ramesh Mani
>            Priority: Critical
>
> With the HIVE-17483 JIRA,  Hive has introduced a way to kill query <id> and 
> in hive its a privileged  action for Hive Admin Role. In order for the Ranger 
> Hive Authorizer to support authorization, we need to enhance the ranger hive 
> authorizer. Current Hive implementation is to Kill Query in a HiveService 
> which can be LLAP / HIVESERVER2 , later these HIVE SERVICEs can be grouped 
> into NAME SPACEs and kill query can be run against them. When 
> HiveServer2/LLAP Ranger Plugin sends the request to Ranger for Authorization, 
> it will be sending the HIVE SERVICE in the context with the COMMAND that is 
> executed.  
> With all the details proposal is to have 
> 1) In Ranger Hive Service Definition, we will have a new Resource "Hive 
> Service" to authorize.
> 2) In Ranger Hive Permission Model, we will have a new Permission "Service 
> Admin" to group Kill Query operation.
>     - "Service Admin"  permission will enable hive ranger plugin to isolate 
> various admin operations in this case "Kill Query" and in future if hive 
> introduces other operations which are done at "HIVE SERVICE level" , group 
> them under this and authorize.
>    - "Service Admin" won't be able to do  DATABASE / TABLE / COLUMN 
> operations as this will all be taken care by the existing 
> DATABASE/TABLE/COLUMN level permission model.
> [~madhan.neethiraj] [~vperiasamy][~thejas][~bosco][~sneethiraj]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to