Data Access
Also available as:
PDF
loading table of contents...

Authorization Using Apache Ranger Policies

Apache Ranger provides centralized policy management for authorization and auditing of all HDP components, including Hive. All HDP components are installed with a Ranger plugin used to intercept authorization requests for that component, as shown in the following illustration.

[Note]Note

Administrators who are responsible for managing access to multiple components are strongly encouraged to use the Ranger Policy Manager to configure authorization for Hive rather than using storage-based or SQL standard-based authorization.

Exceptions: There are two primary use cases where administrators might choose to integrate Ranger with SQL standard-based authorization provided by Hive:

  • An administrator is responsible for Hive authentication but not authentication for other HDP components

  • An administrator wants row-level authentication for one or more table views

In the first use case, an administrator could choose any of the authorization models provided by Hive. The second use case is possible by integrating Ranger with SQL standard-based authorization provided by Hive. Hortonworks recommends that administrators who use both Ranger and SQL standard-based authorization use either whitelisted policies in the Policy Manager or GRANT and REVOKE statements in Hive, but not both. Authentication changes made with GRANT and REVOKE statements appear as updates to the corresponding white policy; there is no need to configure authorization both ways. Ranger also provides an option to disable the use of GRANT and REVOKE statements.

There are two notable differences between Ranger authorization and SQL standard-based authorization:

  • Ranger does not have the concept of a role. Instead, Ranger translates roles into users and groups.

  • The ADMIN permission in Ranger is the equivalent to the WITH GRANT OPTION in SQL standard-based authorization. However, the ADMIN permission gives the grantee the ability to grant all permissions rather than just the permissions possessed by the grantor. With SQL standard-based authorization, the WITH GRANT OPTION applies only to permissions possessed by the grantor.

For more information about using Ranger to configure Hive authorization, see the Apache Ranger User Guide. For more information about SQL standard-based authorization, see the following sections.