Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

protecting database - Best practice

avatar
Expert Contributor

Seeking ideas of how to protect resources from one user with another. Below is what I have done so far:

a.) Folder protection - I am using Ranger, HDFS policies to protect folders.

b.) Need to know how to protect database - I looked at Ranger Hive plugin, but even after creating a policy to allow access to some database, that user is able to see other databases.

c.) Any other idea ?

1 ACCEPTED SOLUTION

avatar
Master Mentor
@Prakash Punj

a.) Folder protection - I am using Ranger, HDFS policies to protect folders.

You can use Ranger HDFS plugin to control Authorization piece.

b.) Need to know how to protect database - I looked at Ranger Hive plugin, but even after creating a policy to allow access to some database, that user is able to see other databases.

You have to DISABLE hive cli. Hive plugin works with beeline and other mechanism except Hive CLI

c.) Any other idea ?

View solution in original post

4 REPLIES 4

avatar

There is no explicit deny. You should set Hive Run as User to be False. For ranger all queries should run as Hive. Then set you database access policy in Ranger and it will work. See also

https://community.hortonworks.com/articles/234/securing-hdp-23-with-apache-ranger.html

avatar
Master Mentor

@Prakash Punj

I still think a more fine grained database level lockdown can be applied. A good database admin will create roles and then grant those roles to the db users this isolates him from managing individual privileges and is modular and easy to administer. Other database vendor create wallet and VPD's ,data obfuscation and encryption these are transparent to the end user and don't impact performance.

Explicit denial in hive is possible have a look at this document

avatar
Master Mentor
@Prakash Punj

a.) Folder protection - I am using Ranger, HDFS policies to protect folders.

You can use Ranger HDFS plugin to control Authorization piece.

b.) Need to know how to protect database - I looked at Ranger Hive plugin, but even after creating a policy to allow access to some database, that user is able to see other databases.

You have to DISABLE hive cli. Hive plugin works with beeline and other mechanism except Hive CLI

c.) Any other idea ?

avatar
Contributor