Description
Ranger authorization for ADD, COMPILE and CREATE TEMPORARY UDF operation in Hive.
Current the CREATE TEMPORARY UDF has a workaround solution of having a policy with Database=* and UDF= specified since the temp udf is not associated to any DB. Similarly, ADD JAR and COMPILE <Script> in the hive all are not associated with any specific database, but it has a significance in reading any warehouse data and manipulating.
In this, we categorize these UDF related operations to a resource "Global" and we maintain a policy with "Temp UDF admin" as permission with "*" or "global" as resource value, which authorizes ADD, COMPILE and CREATE TEMPORARY UDF.
In this way, we don't have to have a "*" policy for DB and UDF to do the authorization of temporary UDF related commands.
Permanent UDFs are authorized by the existing DB/UDF policy in Ranger Hive authorizer.
When migrating to this version, if any customer uses the workaround of "*" policy for any temporary UDF, they have to create this new policy in order for the authorization to happen after migration.
There will be a warning before anyone creates this policy as this is given only to the trusted user similar to UDF policy
Attachments
Attachments
Issue Links
- links to