Secondary schemas honoring hive authorization

29 views
Skip to first unread message

Anil Thyagarajan

unread,
Jul 3, 2019, 4:36:20 AM7/3/19
to Waggle Dance User
Hi,

I wanted to check if waggle-dance has the capability to filter tables from schemas based on the Hive roles provided?

Example:

Schemas/Databases = S1, S2
Roles = R1, R2
Tables = S1.T1, S1.T2, S2.T3, S2.T4

R1 role has select on Tables S1.T1, S2.T4

So, when we configure in federated-meta-stores: (Role added as example)

- access-control-type: READ_ONLY

  database-prefix: waggle_prod_

  latency: 0

  mapped-databases:

  - S1

  name: waggle_prod

  Role: R1

  remote-meta-store-uris: thrift://somehost:9083

 

From the above config, expectation as below:

hive> show databases;
waggle_prod_S1

hive > use waggle_prod_S1;
hive > show tables
T1

Table T2 should be filtered.

Thanks,
Anil

Adrian Woodhead

unread,
Jul 4, 2019, 1:17:09 PM7/4/19
to Anil Thyagarajan, Waggle Dance User

Hey Anil,


Waggle Dance proxies the Hive Metastore at the Thrift service level which doesn't directly expose the users or their roles. The Hive Metastore service itself uses some magic to extract the "user group information" from the Thrift requests. This may or may not be usable in order to extract the roles, I'm afraid I don't know. If we wanted to do this in Waggle Dance we'd probably need to add something similar and/or consider how enabling Kerberos would help. I'm afraid at the moment this isn't on our roadmap but if you or someone else wanted to take a look we'd happily consider incoming pull requests and help where we can.


Thanks,


Adrian

From: waggle-d...@googlegroups.com <waggle-d...@googlegroups.com> on behalf of Anil Thyagarajan <anil.thy...@gmail.com>
Sent: 03 July 2019 09:36:20
To: Waggle Dance User
Subject: [waggle-dance-user] Secondary schemas honoring hive authorization
 
--
You received this message because you are subscribed to the Google Groups "Waggle Dance User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waggle-dance-u...@googlegroups.com.
To post to this group, send email to waggle-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/waggle-dance-user.
To view this discussion on the web, visit https://groups.google.com/d/msgid/waggle-dance-user/6b629bff-15d5-4897-9e29-d01a97423744%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages