You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Yan (JIRA)" <ji...@apache.org> on 2016/02/02 01:39:39 UTC

[jira] [Commented] (RANGER-768) Hive Metastore Plugin

    [ https://issues.apache.org/jira/browse/RANGER-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15127343#comment-15127343 ] 

Yan commented on RANGER-768:
----------------------------

There is one gap just discovered: due to the lack of the session info from the Hive MetaStore(Pre)Event interfaces, the info available from the HiveAuthzSessionContext and HiveAuthzContext used by Ranger in the call to the "checkPrivileges" of "RangerHiveAuthorizer", namely, "session string", "client type", and "ip address", will NOT be available to the Ranger Hive Meta Store plugin. Affected Ranger functionalities include logging, auditing, and the IP matching. We could use a generic string for all of the info, "Hive Meta String" for instance, to give some clue as to what has happened. But it's not full info as desired of course.

Please let me know whether this is acceptable or not.  If not, we probably will need to ask Hive to enhance the two interfaces to pass over the session info. Existing Ranger handling of Hive grant/revoke seem to lack of the same info as well; but the checkPrivilege call has the info.

Any advice/comments are welcomed.

Thanks.

> Hive Metastore Plugin
> ---------------------
>
>                 Key: RANGER-768
>                 URL: https://issues.apache.org/jira/browse/RANGER-768
>             Project: Ranger
>          Issue Type: New Feature
>          Components: admin, plugins
>            Reporter: Yan
>         Attachments: Design Proposal for Hive Metastore Plugin of Ranger - V1.2.docx, Design Proposal for Hive Metastore Plugin of Ranger - V1.3.docx, Design Proposal for Hive Metastore Plugin of Ranger - V1.4.docx, Design Proposal for Hive Metastore Plugin of Ranger.docx, Design Proposal for Hive Metastore Plugin of Ranger.docx
>
>
> Currently there is no Ranger processing of Hive table meta store events that could result in privilege modifications. One example is that when a table is renamed by a Hive Server 2 client (the "beeline"), no proper privilege adjustments in Ranger are made to allow/deny previously allowed/denied users the same privileges as before. In addition, more advanced features, such as granting/denying similar accesses to Hive's HDFS data to users that have (or do not have) privileges in the Hive, would require that detailed metadata of the Hive table, the storage info to be specific, be available to Ranger in order to make the corresponding HDFS  data accessible to the Hive users directly.
> This plugin will depend upon the existing Ranger Hive plugin, so it shares the same "service" name as the associated Ranger Hive service deployed, and it will be "co-enabled" with the existing Ranger Hive plugin.
> Design doc will come soon.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)