You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Sai Hemanth Gantasala (Jira)" <ji...@apache.org> on 2020/08/11 20:41:00 UTC
[jira] [Commented] (HIVE-24026) HMS/Ranger Spark view authorization
plan
[ https://issues.apache.org/jira/browse/HIVE-24026?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17175828#comment-17175828 ]
Sai Hemanth Gantasala commented on HIVE-24026:
----------------------------------------------
+Using a Deferred View+: use a special tag, e.g. authorized=false, in table properties to indicate the view is created outside of HS2/Ranger authorization, meaning we didn't look inside the view when it was created, and because of that, we cannot really tell if it's legit to allow selection from the same view on HS2.
So, the original view statement is just stored and your authorized flag is set to false. Now, each time we try to SELECT (from HS2), we have to check:
# Is there a Ranger policy, giving me access to the view? If yes, proceed as if the view was authorized. This is assuming that only a superuser could have granted me SELECT privileges for the view.
# If there is a Ranger policy, revoking access to the view, throw an error.
# If there is no Ranger policy, resolve the view and check if we have access to each underlying table (just like executing the original SQL statement) -> deferred AuthZ check.
> HMS/Ranger Spark view authorization plan
> ----------------------------------------
>
> Key: HIVE-24026
> URL: https://issues.apache.org/jira/browse/HIVE-24026
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2, Security
> Reporter: Sai Hemanth Gantasala
> Assignee: Sai Hemanth Gantasala
> Priority: Major
>
> Currently, Ranger disallows Spark from creating virtual views via HMS because spark clients are normal users. We should have a capability where spark client can create views in HS2.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)