Hive access control with Privacera Ranger#

Privacera Ranger integration in SEP offers access control for Hive catalogs. It uses the same configuration properties as Apache Ranger, with a few exceptions:

  • ranger.wild-card-resource-matching-for-row-filtering is not supported

  • ranger.wild-card-resource-matching-for-column-masking is not supported

Note

Hive access control with Privacera Ranger requires a valid Starburst Enterprise Presto license.

Before you begin#

Before you configure Presto with Apache Ranger, verify the following prerequisites:

  • Privacera 3.6.0.63+ must be installed.

  • Presto coordinator and workers have the appropriate network access to communicate with the Privacera service. Typically this is port 6080 or 6182, if SSL is used.

Configuration#

With Privacera installed and configured, you are ready to configure Presto with Privacera as the activated access control system for Hive catalogs. Set the path to your Privacera access control configuration file in config.properties:

access-control.config-files=etc/access-control-privacera.properties

Subsequently, configure the following properties in the file:

access-control.name=privacera
privacera.catalogs=hive
ranger.policy-rest-url=http://ranger-admin:6080
ranger.service-name=hive-service
ranger.row-filtering.enabled=true
ranger.presto-plugin-username=admin
ranger.presto-plugin-password=welcome1
ranger.config-resources=/docker/starburst-product-tests/conf/ranger/ranger-audit.xml
ranger.policy-cache-dir=/tmp/ranger

You can use the supported configuration properties documented in the Ranger overview and the additional configuration properties for Privacera Ranger:

Privacera Ranger configuration properties#

Property

Description

Default value

privacera.catalogs

Comma-separated names of catalogs to secure with Privacer Ranger. As you create new catalogs, you must radd them to the list of this configuration property in order to control access to them.

privacera.fallback-access-control

Fallback access control to control resources that are out of scope for Ranger policies. Defines what Presto should do when a user is trying to access other catalogs or resources not controlled by Ranger policies. If set to deny-all, it throws an access denied error. If set to allow-all, access is granted for anything. If set to presto-default, access is granted based on the Presto and catalogs security configuration itself, rather than managed by Privacera. The default configuration in Presto is to allow all access.

deny-all

privacera.udf-access-control.enabled

Privacera integration controls access to UDF. If set to false, then fallback access control is used.

true

privacera.query-access-control.enabled

Determines if Privacera controls access to query execution, allowing any user to execute a query or browse queries, but users require dedicated policy to be able to kill query. If it set to false then fallback access control is used.

true

Enabling access control for non-Hive catalogs#

To provide access control for non-Hive catalogs, setting privacera.fallback-access-control to allow-all lets you setup a separate access control mechanism.