Created 10-28-2016 05:59 PM
I am implementing column level security in Hive using Ranger. I followed the tutorial listed on the hortonworks website listed here: http://hortonworks.com/hadoop-tutorial/tag-based-policies-atlas-ranger/. I created a table employee with columns name, ssn and location.
I then spun up Tableau and connected it to the Hive database using the Tableau provided ODBC driver.
I gave the username raj_ops access to the employee table and was able to access it in Tableau as expected. Then I created a policy to restrict raj_ops access to the location field of the employee table. I then tried accessing the data through Tableau and received the following error message while connecting, “[Hortonworks][Hardy] (80) Syntax or semantic analysis error thrown in server while executing query. Error message from server: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [raj_ops] does not have [SELECT] privilege on [default/employee/location,name,ssn] “
My questions is there a way to pull the columns raj_ops still has access to – name and ssn? Or is it all or nothing in the -- the entire employee table or no columns at all?
Thank you!
Kate
Created 10-28-2016 06:09 PM
If you attempt to select any columns that you are not authorized, you will see that message. If you attempt to describe the table, you will also see that message. It is a security approach. In many environments, security doesn't want you to know columns exists that you aren't allow to see.
I certainly understand your confusion. I would expect a "select * ..." to only return the columns I'm allow to see and I would expect a "describe table" would only show the columns I'm allowed to see. That is currently not the case.
Created 10-28-2016 06:09 PM
If you attempt to select any columns that you are not authorized, you will see that message. If you attempt to describe the table, you will also see that message. It is a security approach. In many environments, security doesn't want you to know columns exists that you aren't allow to see.
I certainly understand your confusion. I would expect a "select * ..." to only return the columns I'm allow to see and I would expect a "describe table" would only show the columns I'm allowed to see. That is currently not the case.
Created 10-28-2016 06:41 PM
@Micheal Young
Thank you for your response. It is really helpful to help understand that the user has to know which column of table he/she has access to while querying. Do you know if its in the pipeline to automatically return the data the user has access to?
Additionally, how can this be managed in Tableau? If a user only has access to 2 out of 3 columns in a table, is there a way to pull just those 2 columns into Tableau? Or is it all or nothing?
Thanks!
Kate
Created 10-28-2016 07:21 PM
I don't know if it is in the pipeline. I looked at the Apache JIRAs and I didn't see any covering this functionality. I created one: https://issues.apache.org/jira/browse/RANGER-1195.
To manage this in Tableau, you need to use custom SQL (again requires you to know which columns you can see): https://onlinehelp.tableau.com/current/pro/desktop/en-us/customsql.html
Created 10-28-2016 08:05 PM
@Michael Young Thank you so much! This is very helpful!
Created 10-28-2016 08:21 PM
My pleasure. If you believe either of my answers are helpful, "accept" them. This helps the community find answered questions.