[ https://issues.apache.org/jira/browse/RANGER-1851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16215522#comment-16215522 ]
Ramesh Mani commented on RANGER-1851: ------------------------------------- [~bosco], some effort one associating the "action" with resource is done in this JIRA https://issues.apache.org/jira/browse/RANGER-1781 Please check this out and give your inputs on this pinging [~madhan.neethiraj] [~abhayk] > Enhance Ranger Hive Plugin to support authorization for KILL QUERY command > -------------------------------------------------------------------------- > > Key: RANGER-1851 > URL: https://issues.apache.org/jira/browse/RANGER-1851 > Project: Ranger > Issue Type: Bug > Components: Ranger > Affects Versions: master, 0.7.1 > Reporter: Ramesh Mani > Assignee: Ramesh Mani > Priority: Critical > > With the HIVE-17483 JIRA, Hive has introduced a way to kill query <id> and > in hive its a privileged action for Hive Admin Role. In order for the Ranger > Hive Authorizer to support authorization, we need to enhance the ranger hive > authorizer. Current Hive implementation is to Kill Query in a HiveService > which can be LLAP / HIVESERVER2 , later these HIVE SERVICEs can be grouped > into NAME SPACEs and kill query can be run against them. When > HiveServer2/LLAP Ranger Plugin sends the request to Ranger for Authorization, > it will be sending the HIVE SERVICE in the context with the COMMAND that is > executed. > With all the details proposal is to have > 1) In Ranger Hive Service Definition, we will have a new Resource "Hive > Service" to authorize. > 2) In Ranger Hive Permission Model, we will have a new Permission "Service > Admin" to group Kill Query operation. > - "Service Admin" permission will enable hive ranger plugin to isolate > various admin operations in this case "Kill Query" and in future if hive > introduces other operations which are done at "HIVE SERVICE level" , group > them under this and authorize. > - "Service Admin" won't be able to do DATABASE / TABLE / COLUMN > operations as this will all be taken care by the existing > DATABASE/TABLE/COLUMN level permission model. > [~madhan.neethiraj] [~vperiasamy][~thejas][~bosco][~sneethiraj] -- This message was sent by Atlassian JIRA (v6.4.14#64029)