Support Questions
Find answers, ask questions, and share your expertise

protecting database - Best practice

Rising Star

Seeking ideas of how to protect resources from one user with another. Below is what I have done so far:

a.) Folder protection - I am using Ranger, HDFS policies to protect folders.

b.) Need to know how to protect database - I looked at Ranger Hive plugin, but even after creating a policy to allow access to some database, that user is able to see other databases.

c.) Any other idea ?

1 ACCEPTED SOLUTION

Accepted Solutions

@Prakash Punj

a.) Folder protection - I am using Ranger, HDFS policies to protect folders.

You can use Ranger HDFS plugin to control Authorization piece.

b.) Need to know how to protect database - I looked at Ranger Hive plugin, but even after creating a policy to allow access to some database, that user is able to see other databases.

You have to DISABLE hive cli. Hive plugin works with beeline and other mechanism except Hive CLI

c.) Any other idea ?

View solution in original post

4 REPLIES 4

There is no explicit deny. You should set Hive Run as User to be False. For ranger all queries should run as Hive. Then set you database access policy in Ranger and it will work. See also

https://community.hortonworks.com/articles/234/securing-hdp-23-with-apache-ranger.html

Mentor

@Prakash Punj

I still think a more fine grained database level lockdown can be applied. A good database admin will create roles and then grant those roles to the db users this isolates him from managing individual privileges and is modular and easy to administer. Other database vendor create wallet and VPD's ,data obfuscation and encryption these are transparent to the end user and don't impact performance.

Explicit denial in hive is possible have a look at this document

@Prakash Punj

a.) Folder protection - I am using Ranger, HDFS policies to protect folders.

You can use Ranger HDFS plugin to control Authorization piece.

b.) Need to know how to protect database - I looked at Ranger Hive plugin, but even after creating a policy to allow access to some database, that user is able to see other databases.

You have to DISABLE hive cli. Hive plugin works with beeline and other mechanism except Hive CLI

c.) Any other idea ?

View solution in original post