You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Alok Lal (JIRA)" <ji...@apache.org> on 2015/12/01 08:20:10 UTC

[jira] [Commented] (RANGER-738) Server-wide control over TRANSFORM clause in Hive

    [ https://issues.apache.org/jira/browse/RANGER-738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15033249#comment-15033249 ] 

Alok Lal commented on RANGER-738:
---------------------------------

Looks like hive could tell which tables columns are going to acted upon by TRANSFORM.  So we might be able to restrict this at Table level, i.e. we may not have to make it wide open for a user, i.e. all databases/all tables.  Is it?

> Server-wide control over TRANSFORM clause in Hive
> -------------------------------------------------
>
>                 Key: RANGER-738
>                 URL: https://issues.apache.org/jira/browse/RANGER-738
>             Project: Ranger
>          Issue Type: New Feature
>          Components: plugins
>            Reporter: Scott C Gray
>              Labels: features, security
>
> The TRANSFORM statement in Hive is a big security hole with Hive run without impersonation, so when SQL Standard Authorization is enabled, the feature id completely disabled which is a bit of a sledgehammer approach to securing this statement.
> Sentry added support for restricting this statement at a per-user/group level, which should be adopted by Ranger.
> https://issues.apache.org/jira/browse/SENTRY-598



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)