[jira] [Commented] (RANGER-1195) Ranger should allow for "select *" and "describe" on tables where user access is limited to a subset of columns.

["Don Bosco Durai (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/RANGER-1195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15634970#comment-15634970 ] 

Don Bosco Durai commented on RANGER-1195:
-----------------------------------------

[~Jaraxal], this is good input. I feel, we should filter out columns within the table for which the user has permission. We do that for "show tables". We need to check whether the Hive API provides us that hook.

Regarding "select *" expanding to individual columns for the which the user has permission might be tricky. Ranger doesn't parse the query itself, but uses the parsed query from Hive. So it might not have ability to change the query upfront.

 I feel, even if we can get describe working, then it will be great.


> Ranger should allow for "select *" and "describe" on tables where user access is limited to a subset of columns.
> ----------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-1195
>                 URL: https://issues.apache.org/jira/browse/RANGER-1195
>             Project: Ranger
>          Issue Type: Improvement
>          Components: plugins
>    Affects Versions: 0.5.1, 0.5.2, 0.6.0, 0.5.3, 0.6.1
>            Reporter: Michael Young
>             Fix For: 0.7.0
>
>
> If you create a Hive policy in Ranger which allows only a subset of columns in a table, users are unable to "select * from tablename" or "describe tablename".  The user must know in advance to which columns they are allowed access, but they can't use "describe" to see a list of columns they are allowed.
> When doing either select or describe in Hive, Ranger should dynamically filter the columns the user is not allowed to see.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)