Adding a Ranger Access Permission Policy for Hive¶
Scenario¶
The Ranger administrator can use Ranger to set permissions for Hive users. The default administrator account of Hive is hive and the initial password is Hive@123.
Prerequisites¶
The Ranger service has been installed and is running properly.
You have created users, user groups, or roles for which you want to configure permissions.
The users must be added to the hive group.
Procedure¶
Log in to the Ranger management page.
On the home page, click the component plug-in name in the HADOOP SQL area, for example, Hive.
On the Access tab page, click Add New Policy to add a Hive permission control policy.
Configure the parameters listed in the table below based on the service demands.
Table 1 Hive permission parameters¶ Parameter
Description
Policy Name
Policy name, which can be customized and must be unique in the service.
Policy Conditions
IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (
*), for example, 192.168.1.10, 192.168.1.20, or 192.168.1.*.Policy Label
A label specified for the current policy. You can search for reports and filter policies based on labels.
database
Name of the Hive database to which the policy applies.
The Include policy applies to the current input object, and the Exclude policy applies to objects other than the current input object.
table
Name of the Hive table to which the policy applies.
To add a UDF-based policy, switch to UDF and enter the UDF name.
The Include policy applies to the current input object, and the Exclude policy applies to objects other than the current input object.
Hive Column
Name of the column to which the policy applies. The value * indicates all columns.
The Include policy applies to the current input object, and the Exclude policy applies to objects other than the current input object.
Description
Policy description.
Audit Logging
Whether to audit the policy.
Allow Conditions
Policy allowed condition. You can configure permissions and exceptions allowed by the policy.
In the Select Role, Select Group, and Select User columns, select the role, user group, or user to which the permission is to be granted, click Add Conditions, add the IP address range to which the policy applies, and click Add Permissions to add the corresponding permission.
select: permission to query data
update: permission to update data
Create: permission to create data
Drop: permission to drop data
Alter: permission to alter data
Index: permission to index data
All: all permissions
Read: permission to read data
Write: permission to write data
Temporary UDF Admin: temporary UDF management permission
Select/Deselect All: Select or deselect all.
To add multiple permission control rules, click
.If users or user groups in the current condition need to manage this policy, select Delegate Admin. These users will become the agent administrators. The agent administrators can update and delete this policy and create sub-policies based on the original policy.
Deny Conditions
Policy rejection condition, which is used to configure the permissions and exceptions to be denied in the policy. The configuration method is similar to that of Allow Conditions.
Table 2 Setting permissions¶ Task
Role Authorization
role admin operation
On the home page, click Settings and choose Roles.
Click the role with Role Name set to admin. In the Users area, click Select User and select a username.
Click Add Users, select Is Role Admin in the row where the username is located, and click Save.
Note
Only user rangeradmin has the permission to access the Settings option on the Ranger page. After being bound to the Hive administrator role, perform the following operations during each maintenance operation:
Log in to the node where the Hive client is installed as the client installation user.
Run the following command to configure environment variables:
For example, if the Hive client installation directory is /opt/hiveclient, run source /opt/hiveclient/bigdata_env.
Run the following command to authenticate the user:
kinit Hive service user
Run the following command to log in to the client tool:
beeline
Run the following command to update the administrator permissions:
set role admin;
Creating a database table
Enter the policy name in Policy Name.
Enter or select the corresponding database on the right side of database and enter or select * on the right side of column. (To create a table, enter or select the corresponding table on the right side of table.)
In the Allow Conditions area, select a user from the Select User drop-down list.
Click Add Permissions and select Create.
Deleting a table
Enter the policy name in Policy Name.
Enter or select the corresponding database on the right side of database and enter and select * on the right side of column. (To delete a table, enter or select the corresponding table on the right side of table.)
In the Allow Conditions area, select a user from the Select User drop-down list.
Click Add Permissions and select Drop.
Query operation (select, desc, and show)
Enter the policy name in Policy Name.
Enter or select the corresponding database on the right side of database and enter or select * (* indicates all columns) on the right side of column. (To create a table, enter or select the corresponding table on the right side of table.)
In the Allow Conditions area, select a user from the Select User drop-down list.
Click Add Permissions and select select.
Alter operation
Enter the policy name in Policy Name.
Enter and select the corresponding database on the right side of database and enter or select * on the right side of column. (For tables, enter or select the corresponding table on the right side of table.)
In the Allow Conditions area, select a user from the Select User drop-down list.
Click Add Permissions and select Alter.
LOAD operation
Enter the policy name in Policy Name.
On the right side of database, enter or select the corresponding database. On the right side of table, enter or select the corresponding table. On the right side of column, enter a column and select *.
In the Allow Conditions area, select a user from the Select User drop-down list.
Click Add Permissions and select update.
INSERT and DELETE operations
Enter the policy name in Policy Name.
On the right side of database, enter or select the corresponding database. On the right side of table, enter or select the corresponding table. On the right side of column, enter a column and select *.
In the Allow Conditions area, select a user from the Select User drop-down list.
Click Add Permissions and select update.
Configure the submit permission on the Yarn task queue. For details about how to configure the permission, see Adding a Ranger Access Permission Policy for Yarn.
GRANT/REVOKE operation
Enter the policy name in Policy Name.
On the right side of database, enter or select the corresponding database. On the right side of table, enter or select the corresponding table. On the right side of column, enter a column and select *.
In the Allow Conditions area, select a user from the Select User drop-down list.
Select Delegate Admin.
ADD JAR operation
Enter the policy name in Policy Name.
Click database, and select global from the drop-down list. On the right of global, enter related information or select *.
In the Allow Conditions area, select a user from the Select User drop-down list.
Click Add Permissions and select Temporary UDF Admin.
UDF operation
Enter the policy name in Policy Name.
Enter or select the corresponding database on the right of database, and enter the corresponding udf function name on the right of udf.
In the Allow Conditions area, select a user from the Select User drop-down list.
Click Add Permissions and select required permissions for the user (udf supports the Create, select, and Drop permissions).
VIEW operation
Enter the policy name in Policy Name.
On the right side of database, enter or select the corresponding database. On the right side of table, enter or select the corresponding table to be viewed. On the right side of column, enter a column and select *.
In the Allow Conditions area, select a user from the Select User drop-down list.
Click Add Permissions and select permissions for the user as required.
dfs command operation
The dfs operation can be performed only after you have run the set role admin command.
Operations on other user database tables
Perform the preceding operations to add the corresponding permissions.
Grant the read, write, and execution permissions on the HDFS paths of other user database tables to the user. For details, see Adding a Ranger Access Permission Policy for HDFS.
Note
If you have specified an HDFS path when running commands, you need to be granted with the read, write, and execution permissions on the HDFS paths. For details, see Adding a Ranger Access Permission Policy for HDFS. You do not need to configure the Ranger policy of HDFS. You can use the Hive permission plug-in to add permissions to the role and assign the role to the corresponding user. If the HDFS Ranger policy can match the file or directory permission of the Hive database table, the HDFS Ranger policy is preferentially used.
The URL policy in the Ranger policy is involved in the scenario where the Hive table is stored on OBS. Set the URL to the complete path of the object on OBS. The Read and Write permissions are used together with the URL. URL policies are not involved in other scenarios.
The global policy in the Ranger policy is used only with the Temporary UDF Admin permission to control the upload of UDF packages.
The hiveservice policy in the Ranger policy is used only with the Service Admin permission to control the permission to run the kill query <queryId> command to end the task that is being executed.
The lock, index, refresh, and replAdmin permissions are not supported.
Run the show grant command to view the table permission. The grantor column of the table owner is displayed as user hive. If the Ranger page is used or the grant command is used to grant permissions in the background, the grantor column is displayed as the corresponding user. To view the result of using the Hive permission plug-in, set hive-ext.ranger.previous.privileges.enable to true and run the show grant command.
Click Add to view the basic information about the policy in the policy list. After the policy takes effect, check whether the related permissions are normal.
To disable a policy, click
to edit the policy and set the policy to Disabled.If a policy is no longer used, click
to delete it.
Hive Data Masking¶
Ranger supports data masking for Hive data. It can process the returned result of the select operation you performed to mask sensitive information.
Log in to the Ranger web UI. Click Hive in the HADOOP SQL area on the homepage.
On the Masking tab page, click Add New Policy to add a Hive permission control policy.
Configure the parameters listed in the table below based on the service demands.
Table 3 Hive data masking parameters¶ Parameter
Description
Policy Name
Policy name, which can be customized and must be unique in the service.
Policy Conditions
IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (
*), for example, 192.168.1.10, 192.168.1.20, or 192.168.1.*.Policy Label
A label specified for the current policy. You can search for reports and filter policies based on labels.
Hive Database
Name of the Hive database to which the current policy applies.
Hive Table
Name of the Hive table to which the current policy applies.
Hive Column
Column name.
Description
Policy description.
Audit Logging
Whether to audit the policy.
Mask Conditions
In the Select Role, Select Group, and Select User columns, select the object to which the permission is to be granted, click Add Conditions, add the IP address range to which the policy applies, then click Add Permissions, and select select.
Click Select Masking Option and select a data masking policy.
Redact: Use x to mask all letters and n to mask all digits.
Partial mask: show last 4: Only the last four characters are displayed, and the rest characters are displayed using x.
Partial mask: show first 4: Only the first four characters are displayed, and the rest characters are displayed using x.
Hash: Replace the original value with the hash value. The Hive built-in function mask_hash is used. This is valid only for fields of the string, character, and varchar types. NULL is returned for fields of other types.
Nullify: Replace the original value with the NULL value.
Unmasked (retain original value): Keep the original value.
Date: show only year: Only the year part of the date string is displayed, and the default month and date start from January and Monday (01/01).
Custom: You customize policies using any valid return data type which is the same as the data type in the masked column.
To add a multi-column masking policy, click
.Click Add to view the basic information about the policy in the policy list.
After you perform the select operation on a table configured with a data masking policy on the Hive client, the system processes and displays the data.
Note
To process data, you must have the permission to submit tasks to the Yarn queue.
Hive Row-Level Data Filtering¶
Ranger allows you to filter data at the row level when you perform the select operation on Hive data tables.
Log in to the Ranger web UI. Click Hive in the HADOOP SQL area on the homepage.
On the Row Level Filter tab page, click Add New Policy to add a row data filtering policy.
Configure the parameters listed in the table below based on the service demands.
Table 4 Parameters for filtering Hive row data¶ Parameter
Description
Policy Name
Policy name, which can be customized and must be unique in the service.
Policy Conditions
IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (
*), for example, 192.168.1.10, 192.168.1.20, or 192.168.1.*.Policy Label
A label specified for the current policy. You can search for reports and filter policies based on labels.
Hive Database
Name of the Hive database to which the current policy applies.
Hive Table
Name of the Hive table to which the current policy applies.
Description
Policy description.
Audit Logging
Whether to audit the policy.
Row Filter Conditions
In the Select Role, Select Group, and Select User columns, select the object to which the permission is to be granted, click Add Conditions, add the IP address range to which the policy applies, then click Add Permissions, and select Select.
Click Row Level Filter and enter data filtering rules.
For example, if you want to filter the data in the zhangsan row in the name column of table A, the filtering rule is name <>'zhangsan'. For more information, see the official Ranger document.
To add more rules, click
.Click Add to view the basic information about the policy in the policy list.
After you perform the select operation on a table configured with a data masking policy on the Hive client, the system processes and displays the data.
Note
To process data, you must have the permission to submit tasks to the Yarn queue.