Support Questions

Find answers, ask questions, and share your expertise

Is it possible to enable column level security at Hive View level?

avatar
Master Mentor

HDP 2.3.2

Sandbox

hive> CREATE TABLE page_view(viewTime INT, userid BIGINT,

> page_url STRING, referrer_url STRING,

> ip STRING COMMENT 'IP Address of the User')

> COMMENT 'This is the page view table'

> PARTITIONED BY(dt STRING, country STRING)

> STORED AS SEQUENCEFILE;

OK

Time taken: 14.39 seconds

hive> CREATE VIEW onion_referrers(url COMMENT 'URL of Referring page')

> COMMENT 'Referrers to The Onion website'

> AS

> SELECT DISTINCT referrer_url

> FROM page_view

> WHERE page_url='http://www.theonion.com';

OK

Time taken: 3.484 seconds

Ranger policy

Restricting access on ip column - Table

Restricting access on url column - View

1893-screen-shot-2016-02-08-at-111838-am.png

0: jdbc:hive2://localhost:10000> select * from page_view;

Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [hive] does not have [SELECT] privilege on [default/page_view/country,dt,ip,page_url,referrer_url,userid,viewtime] (state=42000,code=40000)

0: jdbc:hive2://localhost:10000> select * from onion_referrers;

INFO : Session is already open

INFO :

INFO : Status: Running (Executing on YARN cluster with App id application_1454947053064_0004)

INFO : Map 1: -/-Reducer 2: 0/1

INFO : Map 1: -/-Reducer 2: 0(+1)/1

INFO : Map 1: -/-Reducer 2: 1/1

+----------------------+--+

| onion_referrers.url |

+----------------------+--+

+----------------------+--+

No rows selected (3.695 seconds)

0: jdbc:hive2://localhost:10000>

@bdurai @sneethiraj @bganesan

****Update****

I added base table column in exclude list and view can access the column

1 ACCEPTED SOLUTION

avatar
Master Mentor

There will be a new feature eventually to take care of this. "Being able to control access to view columns, without having to grant access to the underlying table column(s), might be a desired security feature."

View solution in original post

4 REPLIES 4

avatar
Master Mentor

1895-screen-shot-2016-02-08-at-113125-am.png

0: jdbc:hive2://localhost:10000> select * from onion_referrers;

INFO : Session is already open

INFO :

INFO : Status: Running (Executing on YARN cluster with App id application_1454947053064_0004)

INFO : Map 1: -/-Reducer 2: 0/1

INFO : Map 1: -/-Reducer 2: 0(+1)/1

INFO : Map 1: -/-Reducer 2: 1/1

+----------------------+--+

| onion_referrers.url |

+----------------------+--+

+----------------------+--+

No rows selected (4.381 seconds)

0: jdbc:hive2://localhost:10000>

avatar
Master Guru

Hi @Neeraj Sabharwal, your view is using referrer_url and page_url from the page_view table which have no access permissions. Not sure is this the reason you get no output from your view. Can you start by setting Hive columns to "*" and then trying to reduce permissions.

avatar
Master Mentor

@Predrag Minovic I checked with the security team and it's known issue.

avatar
Master Mentor

There will be a new feature eventually to take care of this. "Being able to control access to view columns, without having to grant access to the underlying table column(s), might be a desired security feature."