Support Questions

Find answers, ask questions, and share your expertise

Hive UDFs restrictions in Ranger

avatar
New Contributor

Hi,

is it possible to restrict access to certain UDF (custom or built-in) in Ranger?

I have set the enableDenyAndExceptionsInPolicies option to true. Then I created new access policy to deny a particular user access to all UDFs (* as database, * as udf, user in deny condition, all permissions selected).

This worked ok and the user was denied when tried to run a select with a function.

But when I put a particular function to the UDF field, the user was able to run the function. I tried it with a built-in function (unix_timestamp) as well as with a custom created function, and the result was the same.

What can be wrong or what else do I have to set up?

Thanks.

1 ACCEPTED SOLUTION

avatar
@Jiri Novak

Seems like the requirement is to enable Ranger policies at function level rather than the generic UDF level, this feature is not available for now.

View solution in original post

4 REPLIES 4

avatar

Jiri Novak which release is this ?

can you please check if you are hiting this issue RANGER-1631

avatar
New Contributor

Ranger is 0.7.0, Hive is 1.2.1000.

The RANGER-1631 issue is probably not related, as my problem is with evaluating the function name, not the database name, and it occurs when running the function, not when creating it.

I tried one more test:

I created an allow policy for select permission for the user with database=* and one particular UDF, and disabled all other policies for the user.

When this policy was disabled, the user could not run any UDFs.

When this policy was enabled, the user could run all UDFs, not just the one given in the policy.

avatar
@Jiri Novak

Seems like the requirement is to enable Ranger policies at function level rather than the generic UDF level, this feature is not available for now.

avatar
New Contributor

Ok, thank you.