About bganesan

bganesan · ‎04-04-2019

DFS commands are restricted in Hive when authorization is enabled, either through Ranger or SQL std authorization.

bganesan · ‎05-20-2016

You can use these tutorials. http://hortonworks.com/hadoop-tutorial/tag-based-policies-atlas-ranger/ http://hortonworks.com/hadoop-tutorial/cross-component-lineage-apache-atlas/ There is a startup script which runs to start all services and it takes a little bit of time after starting the VM. The services are up and running when you see the command prompt for that VM

bganesan · ‎05-19-2016

Have you followed the steps outlined by Neeraj to cleanup DB ?

bganesan · ‎05-17-2016

@Sunile Manjee I am not sure this has anything to do with Ranger. As mentioned in this post , if you are using Spark SQL client it will behave similar to Hive CLI today where HDFS permissions come into the play. There is Spark thriftserver work which is pending https://issues.apache.org/jira/browse/SPARK-8659

bganesan · ‎05-10-2016

To add in, as a best practice, we recommend customers using HDP 2.3.x or HDP 2.4.x to configure their audits to both Solr and HDFS. HDFS destination is for long term audit storage, while Solr could be used for short term audit query from the Ranger UI. It is recommended to use a ttl (time to live) setting in Solr to ensure documents are deleted automatically after a certain period.

bganesan · ‎05-09-2016

HP Voltage has done the integration of HDFS encryption with their own KMS. They offer it as part of HPE Secure Storage solution. HDFS encryption can be integrated with 3 party KMS using the keyprovider APIs, however there is some work involved in ensure the integration works, specifically in Kerberos mode. HP Voltage is the only vendor partner to have completed this work.

bganesan · ‎05-06-2016

@hduraiswamy Authorization and Masking are 2 separate events. You would need access to a column for the query to run. If customer would want to filter columns, best way would be to create views. This is no different than other databases. If the user has access to column, but the column data should be redacted, then masking would be an appropriate solution.

bganesan · ‎04-26-2016

You can try writing a script to export/import policies from one Ranger instance to another using REST APIs.

bganesan · ‎04-22-2016

Ravi and Sagar summed it up correctly. Please wait for the login screen to appear in CentOS screen, it takes a while for all services to be started using Ambari..

bganesan · ‎04-22-2016

@David Walker Ranger audits are based on a standard json format, you can write a script to publish them directly to the audit destination, either DB, Solr or HDFS. Please note that we are deprecating support for audit to DB from next release onwards..

bganesan · ‎04-21-2016

What is the error that you are seeing ?

bganesan · ‎04-20-2016

Is Ranger's audit source solr or db ? Check your config in Ambari

bganesan · ‎04-19-2016

For Hive and HBase, you can execute GRANT/REVOKE statements from a shell and it will automatically create policies in Ranger.

bganesan · ‎03-14-2016

@Smart Solutions I don't think this is a Ranger specific issue. Get users/groups into Ranger can be done by provisioning to a file and using Ranger to sync from that file. The bigger question is how would you realize groups at OS level or within Hadoop. If you are using SSSD, have you been able to make it work across multiple domains.

bganesan · ‎03-11-2016

@prakash What are you seeing in Ranger audit when other user tries to access this database?

bganesan · ‎03-11-2016

Ranger support for DB will most probably be phased out in the next release, it is being discussed in the community currently.

bganesan · ‎03-11-2016

Screenshots for Ranger policy and output of what you are getting back from "hdfs groups <username> " would be helpful

bganesan · ‎11-20-2015

@rgarcia Why not pipe the data from HDFS, assuming audit is being written to HDFS as well?

bganesan · ‎11-20-2015

@Brandon Wilson Very nice. @Neeraj Sabharwal We are moving away from storing audits in DB, we need to guide customers to get audit from HDFS

bganesan · ‎11-19-2015

The service list should popup as well. Can you create a bug?

bganesan · ‎11-13-2015

It is not a vulnerability. The Ranger policies do not move with the data. If the new folder has less restrictions, administrators would have to make sure appropriate policies are set. Data can be moved from production to development cluster or to archival/DR. The destination folder rules may not map always to source folder rules. Good part here is that Ranger policy can be set even before folders are created, so administrators should set Ranger policies before moving data.

bganesan · ‎11-04-2015

Sounds right. @rvenkatesh@hortonworks.com @bdurai@hortonworks.com can you confirm?

bganesan · ‎11-02-2015

Though views are not a scalable model, this would be the best recommended solution till the time we have support for inserting predicate or filtering row through UDF in Hive.

bganesan · ‎11-02-2015

We would recommend customers to use Ranger with Hive, rather than SQL std authorization. The solution recommend by JP would work

bganesan · ‎10-21-2015

Let us use official docs as much as possible.

bganesan · ‎10-21-2015

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_secure-kafka-ambari/content/ch_secure-kafka-overview.html

bganesan · ‎10-21-2015

@amcbarnett@hortonworks.com The concern is around who can get access to keys even if you are encrypting the mapreduce shuffle. Local disk encryption is for scenarios where some can take the disk out and read the data. Customers should adopt other methods (OS level access) to prevent users from getting access to nodes where the intermediate data might be stored

bganesan · ‎10-06-2015

CC @abajwa@hortonworks.com @sneethiraj@hortonworks.com @vperiasamy@hortonworks.com

bganesan · ‎10-06-2015

scripts.zip Check attached scripts and see if it helps..

bganesan · ‎10-01-2015

Have you checked this blog? http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/

Online	Offline
Last Visited	‎05-20-2016 06:49 PM

Date Registered	‎09-28-2015 10:22 PM
Last Visited	‎05-20-2016 06:49 PM
Total Messages Posted	34
Total Kudos Received	29

Re: dfs commands in Hive/beeline after enabling Ra...

Re: Ranger SparkSQL security gap?

Re: HDFS encryption and 3rd party KMS

Re: Ranger Knox plugin auto-complete behavior

Re: If Falcon is used to move a file from a folder...

Re: dfs commands in Hive/beeline after enabling Ra...

Re: Why Atlas-Ranger Technical VM does not have GU...

Re: Ambari 2.2.2 ranger installation failed @ step...

Re: Ranger SparkSQL security gap?

Re: Ranger Audit Options - Is DB Audit still suppo...

Re: HDFS encryption and 3rd party KMS

Re: Can un-authorized Hive column be masked or red...

Re: Ranger policy replication across clusters

Re: starting HDP sandbox with Atlas-Ranger integra...

Re: How do you include log files from non-Hortonwo...

Re: Hive didn't work after enabling Ranger. HiverS...

Re: Solr UI not accessing for ranger audit

Re: Does Ranger have a Shell?

Re: How to configure multiple domains with Apache ...

Re: Ranger Hive Policy Question

Re: save ranger audit to HDFS Vs Ranger audit to D...

Re: Ranger policy by group for Hive not working

Re: Do we have a Ranger 0.5 DB Schema defined some...

Re: Do we have a Ranger 0.5 DB Schema defined some...

Re: Ranger Knox plugin auto-complete behavior

Re: If Falcon is used to move a file from a folder...

Re: Transparent Data Encryption (TDE) and Local Di...

Re: What is the best way to implement row-based se...

Re: What is the best way to implement row-based se...

Re: What are the steps for installing a kerberized...

Re: What are the steps for installing a kerberized...

Re: Transparent Data Encryption (TDE) and Local Di...

Re: How to Remove all External Users from the Rang...

Re: How to Remove all External Users from the Rang...

Re: Ranger implementation - hive security access r...