Authorization with Ranger

Availability Note. This feature relates to Hortonworks installations.

Apache Ranger is Hortonworks authorization provider. Arcadia Enterprise supports authorization using Apache Ranger, based on the model described in What Ranger Does and How Ranger Works. Arcadia Enterprise extends this model to work with analytical views (as well as tables), available on all Arcadia connections.

Our integration enables you to use existing Ranger authorization policies, which were created for Hive, to enforce security within Arcadia Engine.

For commands and queries that reference analytical views, Arcadia Engine verifies authorization on the base table or logical view on which the analytical view was defined. There is no additional overhead of explicitly granting or managing access to analytical views.

Developer Notes:

Note the following restrictions when running Hive and Arcadia Engine with Apache Ranger authorization:

  • CREATE [EXTERNAL] TABLE … LOCATION requires all privileges on all databases. Users with appropriate HDFS permissions can use Hive to CREATE these types of tables.
  • ALTER TABLE ... RENAME requires CREATE privilege on the destination database.
  • Files created in Arcadia Engine are owned by the Arcadia user. Arcadia Engine does not support HDFS-level user impersonation.
  • Arcadia Engine does not support GRANT or REVOKE privileges. Users can issue GRANT and REVOKE commands within Hive, or manage authorization using the Ranger UI.
  • Arcadia Engine does not support SHOW ROLES, SHOW ROLE GRANT GROUP, and SHOW GRANT ROLE commands.
  • Arcadia Engine does not enforce Apache Ranger policies for row-level filtering and column masking.