Bolke de Bruin created RANGER-861:
-------------------------------------
Summary: Ranger does not execute jobs under original user
Key: RANGER-861
URL: https://issues.apache.org/jira/browse/RANGER-861
Project: Ranger
Issue Type: Improvement
Affects Versions: 0.5.2, 0.6.0
Reporter: Bolke de Bruin
When using Ranger hive queries are executed under a superuser account instead
of the users' own account . This means that in the UIs one is unable to
distinguish who is running what job because they all reside under the same
user. This is a usability issue.
Also "What this means is that Hiveserver2 will run MR jobs in HDFS as the
original user" mentioned in
http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/
does not seem to be the case. The screenshots also support this as the files
are being owned by the hive user and permissions are only set for the hive user.
For HDFS access can be granted by Ranger. It (ranger) however expects the files
to be owned by the 'hive' user otherwise they won't be accessible by services
that integrate with ranger, although the proper permissions/acls are in place.
Moreover, logging for the different services now also doesn't include the user
ids anymore making it easier for someone to manipulate the logs. We consider
this a security issue.
We would like to see the option of:
1. Execution of (hive etc) jobs under the original user id
2. Making sure Ranger's hdfs policies are complementary to HDFS permissions (or
setting the right permissions on HDFS?), again making sure access is done under
the original account, not requiring file ownership by the hive user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
