This clarifies a lot. Thanks to both of you for your answers. 2015-02-17 19:41 GMT+01:00 Don Bosco Durai <[email protected]>:
> To add Ramesh¹s answer. > > There is a switch/property to turn off falling back to Hadoop ACL. In > which case, all the permission for HDFS should be in Ranger. > > Regarding HiveCLI, you should consider it the same as Pig, which means you > need to manage all the policy at the HDFS level. Because, for Pig and > HiveCLI, you have to anyway give permission to the HDFS folder/files, > which means the user can bypass any controls you might have put on the > HiveCLI layer. In HiveServer2, it is like the client/server architecture, > we recommend running HiveServer2 with ³doAs=false² mode and at the HDFS > level, just give permissions the user ³hive² for the database HDFS folders > and control all user access to the database using Hive Ranger policies. If > there are any power users or nightly load jobs, you can always give those > user permissions directly to the HDFS. > > I hope this clarifies. > > Thanks > > Bosco > > > > > > > On 2/17/15, 10:05 AM, "Ramesh Mani" <[email protected]> wrote: > > >Hi Julien, > > > >Please find the answers. > > > >Thanks, > >Ramesh > > > >On Feb 17, 2015, at 4:27 AM, Julien Carme <[email protected]> wrote: > > > >> Hello, > >> > >> I have been playing with Apache Ranger for some time and there are are > >>some things that are still puzzling me: > >> > >> - With the HDFS plugin, it seems that rights are given when Ranger > >>rights OR standard hadoop rights are provided. For example, a directory > >>with 755 rights will always be readable by everyone, whatever Ranger > >>says. Therefore, to have ranger actually controlling the rights of a > >>directory, there is a need to chmod 700 this directory. Is that the > >>expected behavior? > > > > Ramesh : Hadoop ACL will be in effective over Ranger ACL. So what > you > >are seeing is right behavior. > >> > >> - Hive plugin works great for hiveserver access, however the direct use > >>of hive command line client does not take Ranger rights into account. > >>Is that a feature? Is it planned to change in the future? > > > > Ranger Supports only HiveServer2. > > > > Hive CLI cannot be supported by Ranger because of its security > >vulnerability. You can always by pass the security here in Hive CLI by > >having different conf file. This is documented. > >> > >> I might have missed a documentation that would explain all that. > >> > >> Regards, > >> > >> Julien > > > > > >-- > >CONFIDENTIALITY NOTICE > >NOTICE: This message is intended for the use of the individual or entity > >to > >which it is addressed and may contain information that is confidential, > >privileged and exempt from disclosure under applicable law. If the reader > >of this message is not the intended recipient, you are hereby notified > >that > >any printing, copying, dissemination, distribution, disclosure or > >forwarding of this communication is strictly prohibited. If you have > >received this communication in error, please contact the sender > >immediately > >and delete it from your system. Thank You. > > >
