Support Questions

rmccollam · ‎10-08-2015

jpp · ‎10-08-2015

Row-level security can be achieved by defining views with hard-coded permissions in Ranger.

An alternative available since Hive 1.2.0 is to filter dynamically based on the current user, with the current_user() function. This provides row-by-row security. One option to define the ACLs is via a permission table:

create table permission( username string, driverid string);

For example to secure the driver(driverid, drivername) table, you could create the following permission:

insert into permission values( jsmith, 25 );

Finally define the view by joining against it:

create view secure_driver AS select d.* from driver d inner join permissions p on d.driverid=p.driverid where username = current_user();

View solution in original post

abajwa · ‎10-08-2015

I believe this would currently be through Hive views

deepesh1 · ‎10-08-2015

Row based security can be achieved through SQL Standard Based Hive Authorization.You can create a view with the filter from the original table and then GRANT permissions to role or individual user.

bganesan · ‎11-02-2015

We would recommend customers to use Ranger with Hive, rather than SQL std authorization. The solution recommend by JP would work

awatson · ‎10-08-2015

Just furthering adding to what Deepesh and Ali said - Create Hive views that would filter out rows and then use Ranger to grant that user access to that View (and not the underlying table).

jpp · ‎10-08-2015

Row-level security can be achieved by defining views with hard-coded permissions in Ranger.

An alternative available since Hive 1.2.0 is to filter dynamically based on the current user, with the current_user() function. This provides row-by-row security. One option to define the ACLs is via a permission table:

create table permission( username string, driverid string);

For example to secure the driver(driverid, drivername) table, you could create the following permission:

insert into permission values( jsmith, 25 );

Finally define the view by joining against it:

create view secure_driver AS select d.* from driver d inner join permissions p on d.driverid=p.driverid where username = current_user();

bganesan · ‎11-02-2015

Though views are not a scalable model, this would be the best recommended solution till the time we have support for inserting predicate or filtering row through UDF in Hive.

nsabharwal · ‎10-10-2015

@Ronald McCollam

Hive view and if we look into other technology stacks then Row level security is based on views.

LesterMartin · ‎03-05-2016

I know... I'm the FIFTH person to say create a View and secure permissions on it, and the backing table, appropriately. 😉

That said, I've got a simple little demo posted at https://github.com/HortonworksUniversity/Essentials/blob/master/demos/ranger/README.md along with a video recording of it linked there in case anyone might find that useful.

rabberbo · ‎11-22-2016

Ranger now supports row filtering where you can specify a condition to filter the results by even without creating a new hive view.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/ranger_row_level_filter...

Cloudera Community

Support Questions

What is the best way to implement row-based security in Hive?