[
https://issues.apache.org/jira/browse/RANGER-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15127343#comment-15127343
]
Yan commented on RANGER-768:
----------------------------
There is one gap just discovered: due to the lack of the session info from the
Hive MetaStore(Pre)Event interfaces, the info available from the
HiveAuthzSessionContext and HiveAuthzContext used by Ranger in the call to the
"checkPrivileges" of "RangerHiveAuthorizer", namely, "session string", "client
type", and "ip address", will NOT be available to the Ranger Hive Meta Store
plugin. Affected Ranger functionalities include logging, auditing, and the IP
matching. We could use a generic string for all of the info, "Hive Meta String"
for instance, to give some clue as to what has happened. But it's not full info
as desired of course.
Please let me know whether this is acceptable or not. If not, we probably will
need to ask Hive to enhance the two interfaces to pass over the session info.
Existing Ranger handling of Hive grant/revoke seem to lack of the same info as
well; but the checkPrivilege call has the info.
Any advice/comments are welcomed.
Thanks.
> Hive Metastore Plugin
> ---------------------
>
> Key: RANGER-768
> URL: https://issues.apache.org/jira/browse/RANGER-768
> Project: Ranger
> Issue Type: New Feature
> Components: admin, plugins
> Reporter: Yan
> Attachments: Design Proposal for Hive Metastore Plugin of Ranger -
> V1.2.docx, Design Proposal for Hive Metastore Plugin of Ranger - V1.3.docx,
> Design Proposal for Hive Metastore Plugin of Ranger - V1.4.docx, Design
> Proposal for Hive Metastore Plugin of Ranger.docx, Design Proposal for Hive
> Metastore Plugin of Ranger.docx
>
>
> Currently there is no Ranger processing of Hive table meta store events that
> could result in privilege modifications. One example is that when a table is
> renamed by a Hive Server 2 client (the "beeline"), no proper privilege
> adjustments in Ranger are made to allow/deny previously allowed/denied users
> the same privileges as before. In addition, more advanced features, such as
> granting/denying similar accesses to Hive's HDFS data to users that have (or
> do not have) privileges in the Hive, would require that detailed metadata of
> the Hive table, the storage info to be specific, be available to Ranger in
> order to make the corresponding HDFS data accessible to the Hive users
> directly.
> This plugin will depend upon the existing Ranger Hive plugin, so it shares
> the same "service" name as the associated Ranger Hive service deployed, and
> it will be "co-enabled" with the existing Ranger Hive plugin.
> Design doc will come soon.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
