[
https://issues.apache.org/jira/browse/RANGER-861?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bolke de Bruin updated RANGER-861:
----------------------------------
Description:
When using Ranger hive queries are executed under a superuser account instead
of the users' own account . This means that in the UIs one is unable to
distinguish who is running what job because they all reside under the same
user. This is a usability issue.
Also "What this means is that Hiveserver2 will run MR jobs in HDFS as the
original user" mentioned in
http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/
does not seem to be the case. The screenshots also support this as the files
are being owned by the hive user and permissions are only set for the hive user.
For HDFS access can be granted by Ranger. It (ranger) however expects the files
to be owned by the 'hive' user otherwise they won't be accessible by services
that do not integrate with ranger, although the proper permissions/acls are in
place.
Moreover, logging for the different services now also doesn't include the user
ids anymore making it easier for someone to manipulate the logs. We consider
this a security issue.
We would like to see the option of:
1. Execution of (hive etc) jobs under the original user id
2. Making sure Ranger's hdfs policies are complementary to HDFS permissions (or
setting the right permissions on HDFS?), again making sure access is done under
the original account, not requiring file ownership by the hive user.
was:
When using Ranger hive queries are executed under a superuser account instead
of the users' own account . This means that in the UIs one is unable to
distinguish who is running what job because they all reside under the same
user. This is a usability issue.
Also "What this means is that Hiveserver2 will run MR jobs in HDFS as the
original user" mentioned in
http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/
does not seem to be the case. The screenshots also support this as the files
are being owned by the hive user and permissions are only set for the hive user.
For HDFS access can be granted by Ranger. It (ranger) however expects the files
to be owned by the 'hive' user otherwise they won't be accessible by services
that integrate with ranger, although the proper permissions/acls are in place.
Moreover, logging for the different services now also doesn't include the user
ids anymore making it easier for someone to manipulate the logs. We consider
this a security issue.
We would like to see the option of:
1. Execution of (hive etc) jobs under the original user id
2. Making sure Ranger's hdfs policies are complementary to HDFS permissions (or
setting the right permissions on HDFS?), again making sure access is done under
the original account, not requiring file ownership by the hive user.
> Ranger does not execute jobs under original user
> ------------------------------------------------
>
> Key: RANGER-861
> URL: https://issues.apache.org/jira/browse/RANGER-861
> Project: Ranger
> Issue Type: Improvement
> Affects Versions: 0.5.2, 0.6.0
> Reporter: Bolke de Bruin
>
> When using Ranger hive queries are executed under a superuser account instead
> of the users' own account . This means that in the UIs one is unable to
> distinguish who is running what job because they all reside under the same
> user. This is a usability issue.
> Also "What this means is that Hiveserver2 will run MR jobs in HDFS as the
> original user" mentioned in
> http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/
> does not seem to be the case. The screenshots also support this as the files
> are being owned by the hive user and permissions are only set for the hive
> user.
> For HDFS access can be granted by Ranger. It (ranger) however expects the
> files to be owned by the 'hive' user otherwise they won't be accessible by
> services that do not integrate with ranger, although the proper
> permissions/acls are in place.
> Moreover, logging for the different services now also doesn't include the
> user ids anymore making it easier for someone to manipulate the logs. We
> consider this a security issue.
> We would like to see the option of:
> 1. Execution of (hive etc) jobs under the original user id
> 2. Making sure Ranger's hdfs policies are complementary to HDFS permissions
> (or setting the right permissions on HDFS?), again making sure access is done
> under the original account, not requiring file ownership by the hive user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
