Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Hive UDFs restrictions in Ranger

Solved Go to solution
Highlighted

Hive UDFs restrictions in Ranger

New Contributor

Hi,

is it possible to restrict access to certain UDF (custom or built-in) in Ranger?

I have set the enableDenyAndExceptionsInPolicies option to true. Then I created new access policy to deny a particular user access to all UDFs (* as database, * as udf, user in deny condition, all permissions selected).

This worked ok and the user was denied when tried to run a select with a function.

But when I put a particular function to the UDF field, the user was able to run the function. I tried it with a built-in function (unix_timestamp) as well as with a custom created function, and the result was the same.

What can be wrong or what else do I have to set up?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Hive UDFs restrictions in Ranger

@Jiri Novak

Seems like the requirement is to enable Ranger policies at function level rather than the generic UDF level, this feature is not available for now.

4 REPLIES 4

Re: Hive UDFs restrictions in Ranger

Jiri Novak which release is this ?

can you please check if you are hiting this issue RANGER-1631

Re: Hive UDFs restrictions in Ranger

New Contributor

Ranger is 0.7.0, Hive is 1.2.1000.

The RANGER-1631 issue is probably not related, as my problem is with evaluating the function name, not the database name, and it occurs when running the function, not when creating it.

I tried one more test:

I created an allow policy for select permission for the user with database=* and one particular UDF, and disabled all other policies for the user.

When this policy was disabled, the user could not run any UDFs.

When this policy was enabled, the user could run all UDFs, not just the one given in the policy.

Re: Hive UDFs restrictions in Ranger

@Jiri Novak

Seems like the requirement is to enable Ranger policies at function level rather than the generic UDF level, this feature is not available for now.

Re: Hive UDFs restrictions in Ranger

New Contributor

Ok, thank you.

Don't have an account?
Coming from Hortonworks? Activate your account here