Secure access mode introduction
Use Hive Warehouse Connector (HWC) secure access mode if you want fine-grained access control (FGAC) column masking and row filtering to secure managed (ACID); or external, Hive table data that you read from Spark. If you have large workloads, low-latency requirements, and require fine-grained access control, secure access mode is recommended over the Direct Reader mode.
As an administrator, you set up Ranger FGAC, consisting of column masking and row filtering, to secure the data. You select a staging location in your cloud storage service, such as S3 or ADLS. After you configure secure access mode, HWC creates external tables on your designated staging location when users launch Spark. HWC uses CREATE TABLE AS SELECT (CTAS) to create the tables. No code refactoring is necessary. Ranger policies are applied and FGAC is enforced during the CTAS operation. Users read external tables in the secure staging location.
Requirements
- As an administrator, you set up Ranger policies.
- As a user, you launch Spark and query Hive tables in secure access mode.
Considerations
- Intermediate data is generated every time the Spark job runs even if it is running on the same underlying data.
- Intermediate data is automatically cleared when the Spark session ends.
- Additional storage requirements depend on concurrent Spark jobs running.