Cloudera Sentry is awesome and I have implemented this in Cloudera manager 4.7.2 CDH 4.4.0. Thanks again to shreepadma for all answers to my questions on the CDH users group. I can provide guidance on Sentry configs if needed.
Sent from my iPhone > On Nov 22, 2013, at 4:25 PM, Shreepadma Venugopalan <shreepa...@cloudera.com> > wrote: > > Apache Sentry is already available and made its first incubating release a > couple of months back. > > >> On Fri, Nov 22, 2013 at 3:06 PM, Echo Li <echo...@gmail.com> wrote: >> Thanks all, that's all very helpful information. >> >> Shreepadma, when will the Apache Sentry come GA? >> >> >>> On Fri, Nov 22, 2013 at 2:36 PM, Shreepadma Venugopalan >>> <shreepa...@apache.org> wrote: >>> Apache Sentry (incubating) provides fine-grained role-based authorization >>> for Hive among other components of the Hadoop ecosystem. It currently >>> supports fully secure, fine-grained, role-based authorization for Hive and >>> can be used to prevent the scenario described earlier i.e., prevent a user >>> from dropping a table the user shouldn't be allowed to drop. >>> >>> Shreepadma >>> >>> >>>> On Fri, Nov 22, 2013 at 12:55 PM, <simon.2.thomp...@bt.com> wrote: >>>> Thanks Alan - I'll fwd the spec in the Jira to some of our security and >>>> integrity people for comment. >>>> >>>> Simon >>>> ---- >>>> Dr. Simon Thompson >>>> >>>> ________________________________________ >>>> From: Alan Gates [ga...@hortonworks.com] >>>> Sent: 22 November 2013 20:53 >>>> To: user@hive.apache.org >>>> Subject: Re: How to prevent user drop table in Hive metadata? >>>> >>>> See https://issues.apache.org/jira/browse/HIVE-5837 for a JIRA addressing >>>> this. >>>> >>>> Also, you can use the StorageBasedAuthorizationProvider in Hive, which >>>> bases metadata security on file security. So if the user doesn't have >>>> permissions to remove the directory that stores the table data, they won't >>>> have permissions to drop the table. This isn't perfect, but it's a start. >>>> >>>> Alan. >>>> >>>> On Nov 22, 2013, at 11:49 AM, <simon.2.thomp...@bt.com> >>>> <simon.2.thomp...@bt.com> wrote: >>>> >>>> > Has no one raised a Jira ticket ? >>>> > >>>> > ---- >>>> > Dr. Simon Thompson >>>> > >>>> > ________________________________________ >>>> > From: Biswajit Nayak [biswajit.na...@inmobi.com] >>>> > Sent: 22 November 2013 19:45 >>>> > To: user@hive.apache.org >>>> > Subject: Re: How to prevent user drop table in Hive metadata? >>>> > >>>> > Hi Echo, >>>> > >>>> > I dont think there is any to prevent this. I had the same concern in >>>> > hbase, but found out that it is assumed that user using the system are >>>> > very much aware of it. I am into hive from last 3 months, was looking >>>> > for some kind of way here, but no luck till now.. >>>> > >>>> > Thanks >>>> > Biswa >>>> > >>>> > On 23 Nov 2013 01:06, "Echo Li" >>>> > <echo...@gmail.com<mailto:echo...@gmail.com>> wrote: >>>> > Good Friday! >>>> > >>>> > I was trying to apply certain level of security in our hive data >>>> > warehouse, by modifying access mode of directories and files on hdfs to >>>> > 755 I think it's good enough for a new user to remove data, however the >>>> > user still can drop the table definition in hive cli, seems the "revoke" >>>> > doesn't help much, is there any way to prevent this? >>>> > >>>> > >>>> > Thanks, >>>> > Echo >>>> > >>>> > _____________________________________________________________ >>>> > The information contained in this communication is intended solely for >>>> > the use of the individual or entity to whom it is addressed and others >>>> > authorized to receive it. It may contain confidential or legally >>>> > privileged information. If you are not the intended recipient you are >>>> > hereby notified that any disclosure, copying, distribution or taking any >>>> > action in reliance on the contents of this information is strictly >>>> > prohibited and may be unlawful. If you have received this communication >>>> > in error, please notify us immediately by responding to this email and >>>> > then delete it from your system. The firm is neither liable for the >>>> > proper and complete transmission of the information contained in this >>>> > communication nor for any delay in its receipt. >>>> >>>> >>>> -- >>>> CONFIDENTIALITY NOTICE >>>> NOTICE: This message is intended for the use of the individual or entity to >>>> which it is addressed and may contain information that is confidential, >>>> privileged and exempt from disclosure under applicable law. If the reader >>>> of this message is not the intended recipient, you are hereby notified that >>>> any printing, copying, dissemination, distribution, disclosure or >>>> forwarding of this communication is strictly prohibited. If you have >>>> received this communication in error, please contact the sender immediately >>>> and delete it from your system. Thank You. >
