Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

protecting database - Best practice

Labels:
avatar
author-rank prakashpunj
Expert Contributor

Created ‎02-29-2016 09:21 PM

Seeking ideas of how to protect resources from one user with another. Below is what I have done so far:

a.) Folder protection - I am using Ranger, HDFS policies to protect folders.

b.) Need to know how to protect database - I looked at Ranger Hive plugin, but even after creating a policy to allow access to some database, that user is able to see other databases.

c.) Any other idea ?

1,666 Views
1 ACCEPTED SOLUTION

avatar
author-rank nsabharwal
Master Mentor

Created ‎03-01-2016 12:32 AM

@Prakash Punj

a.) Folder protection - I am using Ranger, HDFS policies to protect folders.

You can use Ranger HDFS plugin to control Authorization piece.

b.) Need to know how to protect database - I looked at Ranger Hive plugin, but even after creating a policy to allow access to some database, that user is able to see other databases.

You have to DISABLE hive cli. Hive plugin works with beeline and other mechanism except Hive CLI

c.) Any other idea ?

View solution in original post

1,439 Views
4 REPLIES 4

avatar
author-rank amcbarnett
Guru

Created ‎02-29-2016 09:41 PM

There is no explicit deny. You should set Hive Run as User to be False. For ranger all queries should run as Hive. Then set you database access policy in Ranger and it will work. See also

https://community.hortonworks.com/articles/234/securing-hdp-23-with-apache-ranger.html

1,439 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎02-29-2016 10:14 PM

@Prakash Punj

I still think a more fine grained database level lockdown can be applied. A good database admin will create roles and then grant those roles to the db users this isolates him from managing individual privileges and is modular and easy to administer. Other database vendor create wallet and VPD's ,data obfuscation and encryption these are transparent to the end user and don't impact performance.

Explicit denial in hive is possible have a look at this document

1,439 Views
0 Kudos

avatar
author-rank nsabharwal
Master Mentor

Created ‎03-01-2016 12:32 AM

@Prakash Punj

a.) Folder protection - I am using Ranger, HDFS policies to protect folders.

You can use Ranger HDFS plugin to control Authorization piece.

b.) Need to know how to protect database - I looked at Ranger Hive plugin, but even after creating a policy to allow access to some database, that user is able to see other databases.

You have to DISABLE hive cli. Hive plugin works with beeline and other mechanism except Hive CLI

c.) Any other idea ?

1,440 Views

avatar
author-rank andrew_sears
Contributor

Created ‎03-06-2016 05:17 PM

Explicit denial is mentioned in next version 0.6 of Ranger.

https://cwiki.apache.org/confluence/display/RANGER/Deny-conditions+and+excludes+in+Ranger+policies

1,439 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements