[
https://issues.apache.org/jira/browse/RANGER-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15088386#comment-15088386
]
Don Bosco Durai commented on RANGER-768:
----------------------------------------
Thanks for the clarification. It looks good.
bq. Yes, this is designed for generic use beyond just Hive-HDFS association
I agree, we should make it generic
bq. I'm relying on the "exact matching" of policy name pattern, as done by the
existing Ranger Hive policy
This should work. I feel, we should do 2 enhancement on the policy side. 1.
Allow multiple policies for the same resource. Else it will fail. 2. Also, make
these policies non-editable by admin and can be only managed implicitly by the
Hive Metastore. This will ensure consistency. We can create sub JIRAs to
track/discuss them there.
bq. I believe Hive CLI supports grant/revoke.
This is good to know
bq. 3.1.1 Hive CLI, HiveAuthorizer specified in hive-site.xml
In the first data row, for GRANT/REVOKE, when the HiveAuthoizer is configured,
it is still executed at the client side, which is not of much use. For this
JIRA work, we have to ensure that all the access control and audit works within
the MetaStore
> Hive Metastore Plugin
> ---------------------
>
> Key: RANGER-768
> URL: https://issues.apache.org/jira/browse/RANGER-768
> Project: Ranger
> Issue Type: New Feature
> Components: admin, plugins
> Reporter: Yan
> Attachments: Design Proposal for Hive Metastore Plugin of
> Ranger.docx, Design Proposal for Hive Metastore Plugin of Ranger.docx
>
>
> Currently there is no Ranger processing of Hive table meta store events that
> could result in privilege modifications. One example is that when a table is
> renamed by a Hive Server 2 client (the "beeline"), no proper privilege
> adjustments in Ranger are made to allow/deny previously allowed/denied users
> the same privileges as before. In addition, more advanced features, such as
> granting/denying similar accesses to Hive's HDFS data to users that have (or
> do not have) privileges in the Hive, would require that detailed metadata of
> the Hive table, the storage info to be specific, be available to Ranger in
> order to make the corresponding HDFS data accessible to the Hive users
> directly.
> This plugin will depend upon the existing Ranger Hive plugin, so it shares
> the same "service" name as the associated Ranger Hive service deployed, and
> it will be "co-enabled" with the existing Ranger Hive plugin.
> Design doc will come soon.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
