[jira] [Commented] (RANGER-768) Hive Metastore Plugin

Mon, 11 Jan 2016 21:27:07 -0800 

    [ 
https://issues.apache.org/jira/browse/RANGER-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15093314#comment-15093314
 ] 

Yan commented on RANGER-768:
----------------------------

[~bosco] I guess it might be possible not to add HDFS policies for each 
physical partition, but for the partition/bucket/table specification in the DDL 
and use the "recursive" flag to denote the actual storage files beneath the 
specifid storage directories. We may need to consult with Hive experts on this. 

I have not found a need for a hook specifically for the HDFS policy derivation. 
The Listener hook is for the Hive Metastore-based security in general. If HDFS 
policy sync is configured, both this hook and the existing Authorizer hook will 
be enhanced to pass storage info back to Admin. To save blind pass of the info 
for the Hive services that are NOT configured for the HDFS policy sync, we 
probably need to pass the service config to the Hive plugin as Madhan pointed 
out, contrary to my previous thought. Thanks. 

> Hive Metastore Plugin
> ---------------------
>
>                 Key: RANGER-768
>                 URL: https://issues.apache.org/jira/browse/RANGER-768
>             Project: Ranger
>          Issue Type: New Feature
>          Components: admin, plugins
>            Reporter: Yan
>         Attachments: Design Proposal for Hive Metastore Plugin of 
> Ranger.docx, Design Proposal for Hive Metastore Plugin of Ranger.docx
>
>
> Currently there is no Ranger processing of Hive table meta store events that 
> could result in privilege modifications. One example is that when a table is 
> renamed by a Hive Server 2 client (the "beeline"), no proper privilege 
> adjustments in Ranger are made to allow/deny previously allowed/denied users 
> the same privileges as before. In addition, more advanced features, such as 
> granting/denying similar accesses to Hive's HDFS data to users that have (or 
> do not have) privileges in the Hive, would require that detailed metadata of 
> the Hive table, the storage info to be specific, be available to Ranger in 
> order to make the corresponding HDFS  data accessible to the Hive users 
> directly.
> This plugin will depend upon the existing Ranger Hive plugin, so it shares 
> the same "service" name as the associated Ranger Hive service deployed, and 
> it will be "co-enabled" with the existing Ranger Hive plugin.
> Design doc will come soon.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to