[jira] [Commented] (RANGER-768) Hive Metastore Plugin

Thu, 07 Jan 2016 21:22:42 -0800 

    [ 
https://issues.apache.org/jira/browse/RANGER-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15088727#comment-15088727
 ] 

Madhan Neethiraj commented on RANGER-768:
-----------------------------------------

bq. 2.2.3       Range HDFS Privilege Changes as Result of Hive Metadata Changes
bq. There will be a new String member introduced in the “configs” list of the 
Hive’s servicedef json file, named “storageServiceName” that will specify the 
HDFS service name whose HDFS entries under a Hive table will have access 
policies added/deleted according to the existence of the Hive table’s objects 
of data.  The default value of null will disable the sync of the HDFS privilege 
sync due to Hive metadata changes. The setting of this member will be through 
GUI and RESTful API. 
This is a nice approach. Please note that service configuration is not sent to 
the plugins from Ranger Admin (when the plugins download policies). Perhaps a 
new attribute {{Map<String, String> serviceConfigs}} can be added to 
{{ServicePolicies}} class to send selected service configurations to plugins.

> Hive Metastore Plugin
> ---------------------
>
>                 Key: RANGER-768
>                 URL: https://issues.apache.org/jira/browse/RANGER-768
>             Project: Ranger
>          Issue Type: New Feature
>          Components: admin, plugins
>            Reporter: Yan
>         Attachments: Design Proposal for Hive Metastore Plugin of 
> Ranger.docx, Design Proposal for Hive Metastore Plugin of Ranger.docx
>
>
> Currently there is no Ranger processing of Hive table meta store events that 
> could result in privilege modifications. One example is that when a table is 
> renamed by a Hive Server 2 client (the "beeline"), no proper privilege 
> adjustments in Ranger are made to allow/deny previously allowed/denied users 
> the same privileges as before. In addition, more advanced features, such as 
> granting/denying similar accesses to Hive's HDFS data to users that have (or 
> do not have) privileges in the Hive, would require that detailed metadata of 
> the Hive table, the storage info to be specific, be available to Ranger in 
> order to make the corresponding HDFS  data accessible to the Hive users 
> directly.
> This plugin will depend upon the existing Ranger Hive plugin, so it shares 
> the same "service" name as the associated Ranger Hive service deployed, and 
> it will be "co-enabled" with the existing Ranger Hive plugin.
> Design doc will come soon.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to