Hive source Ranger Based Authorization missing!

1

I’m using Dremio Software version (24.3.2), Community Edition. I need to implement some kind of Authorization (grant Privilege to User), since CE doesn’t support RBAC (only Enterprise Edition), I need to implement it another way, at the Catalog level (Hive).
According to the doc

There should be an option for Authorization called “Ranged Based”, which use Apache Ranger (which is open source).

image
image1011×491 18.3 KB

The problem is that somehow my UI doesn’t have it. Is this only available in Enterprise Edition again? Or do I have to add it to the .conf file somewhere before deploying the Dremio service?

image
image599×695 32.9 KB

I’m so tired, 9/10 times I check the doc (with the right version), they mention something I need, but when I check my own Dremio service, that thing doesn’t exist at all. Where are they? If they’re only available in EE then just specified it in the doc pls (like Enterprise Edition only)

Additionally, is there a way to implement authorization on the Community Edition? As far as I understand, Dremio is just a Query Engine, right? I can implement it at the Catalog level (Hive), right? If Ranged Based Authorization is not available in CE, then how to use User Impersonation instead? Is there any Doc/Guide out there?

2

@quangbilly79 Ranger based authorization is an EE feature, in CE, Storage based should be supported using hive.server2.enable.doAs

1 Like
3

@balaji.ramaswamy
Thank you, I spent a few days trying to make Impersonate Authorization work with Hive, but no luck so far. No matter what I do, the login user can still query everything.

Could you clarify which user Dremio uses to query data (in Dremio web UI or JDBC) with my setup like below? Does Dremio use my login user in Dremio WebUI?

Below is what I do

Setup Authorization to Storage based with User Impersonation

image
image1449×626 48.7 KB

Advanced set hive.server2.enable.doAs to false

image
image1200×280 18.5 KB

Modify the permission to the folder that contains the table data in HDFS so that it can be only read by “hive” user or something

image
image1318×544 39.1 KB

As you can see, now if I query as “root” user in Spark, it throws a permission error

image
image435×103 3.41 KB

image
image1321×436 22.7 KB

But somehow, in Dremio web UI or JDBC, I can still query it (login as admin user)!!!

image
image1191×729 22.7 KB

Which user does Dremio use to query data seriously? Why can Dremio query everything even though I have already limited folder read permission? I thought that it would use the login user to query data?

I’m using Yarn Engine

image
image1631×345 24.5 KB