You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Prasanth Jayachandran (JIRA)" <ji...@apache.org> on 2018/03/28 20:04:00 UTC

[jira] [Commented] (RANGER-1851) Enhance Ranger Hive Plugin to support authorization for KILL QUERY command

    [ https://issues.apache.org/jira/browse/RANGER-1851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16418031#comment-16418031 ] 

Prasanth Jayachandran commented on RANGER-1851:
-----------------------------------------------

HIVE-19033 would also need this feature.

> Enhance Ranger Hive Plugin to support authorization for KILL QUERY command
> --------------------------------------------------------------------------
>
>                 Key: RANGER-1851
>                 URL: https://issues.apache.org/jira/browse/RANGER-1851
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 1.0.0, master
>            Reporter: Ramesh Mani
>            Assignee: Ramesh Mani
>            Priority: Critical
>
> With the HIVE-17483 JIRA,  Hive has introduced a way to kill query <id> and in hive its a privileged  action for Hive Admin Role. In order for the Ranger Hive Authorizer to support authorization, we need to enhance the ranger hive authorizer. Current Hive implementation is to Kill Query in a HiveService which can be LLAP / HIVESERVER2 , later these HIVE SERVICEs can be grouped into NAME SPACEs and kill query can be run against them. When HiveServer2/LLAP Ranger Plugin sends the request to Ranger for Authorization, it will be sending the HIVE SERVICE in the context with the COMMAND that is executed.  
> With all the details proposal is to have 
> 1) In Ranger Hive Service Definition, we will have a new Resource "Hive Service" to authorize.
> 2) In Ranger Hive Permission Model, we will have a new Permission "Service Admin" to group Kill Query operation.
>     - "Service Admin"  permission will enable hive ranger plugin to isolate various admin operations in this case "Kill Query" and in future if hive introduces other operations which are done at "HIVE SERVICE level" , group them under this and authorize.
>    - "Service Admin" won't be able to do  DATABASE / TABLE / COLUMN operations as this will all be taken care by the existing DATABASE/TABLE/COLUMN level permission model.
> [~madhan.neethiraj] [~vperiasamy][~thejas][~bosco][~sneethiraj]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)