Hive access control with the Privacera Platform#

The Privacera Platform, powered by Apache Ranger integration in Starburst Enterprise platform (SEP) offers access control for Hive catalogs. It uses the same configuration properties as Apache Ranger, with a few exceptions:

ranger.wild-card-resource-matching-for-row-filtering is not supported
ranger.wild-card-resource-matching-for-column-masking is not supported

Note

Hive access control with the Privacera Platform requires a valid Starburst Enterprise license.

Installation#

Before you begin, verify you fulfill the Ranger requirements.

Configuration#

With the Privacera Platform installed and configured, you are ready to configure SEP with Privacera Platform as the activated access control system for Hive catalogs. Set the path to your Privacera Platform access control configuration file in config.properties:

access-control.config-files=etc/access-control-privacera.properties

Subsequently, configure the following properties in the file:

access-control.name=privacera
privacera.catalogs=hive
ranger.policy-rest-url=http://ranger-admin:6080
ranger.service-name=hive-service
ranger.row-filtering.enabled=true
ranger.username=admin
ranger.password=welcome1
ranger.config-resources=/docker/starburst-product-tests/conf/ranger/ranger-audit.xml
ranger.policy-cache-dir=/tmp/ranger

You can use the supported configuration properties documented in the Ranger overview and the additional configuration properties for the Privacera Platform:

Privacera Platform configuration properties#
Property	Description	Default value
`privacera.catalogs`	Comma-separated names of catalogs to secure with Privacera Platform. As you create new catalogs, you must add them to the list of this configuration property in order to control access to them.
`privacera.fallback-access-control`	Fallback access control to control resources that are out of scope for Ranger policies. Defines what SEP should do when a user is trying to access other catalogs or resources not controlled by Ranger policies. If set to `deny-all`, it throws an access denied error. If set to `allow-all`, access is granted for anything. If set to `presto-default`, access is granted based on the SEP and catalogs security configuration itself, rather than managed by the Privacera Platform. The default configuration in SEP is to allow all access.	`deny-all`
`privacera.udf-access-control.enabled`	Privacera Platform integration controls access to UDF. If set to `false`, then fallback access control is used.	`true`
`privacera.query-access-control.enabled`	Determines if Privacera Platform controls access to query execution, allowing any user to execute a query or browse queries, but users require dedicated policy to be able to kill query. If it set to `false` then fallback access control is used.	`true`

Enabling access control for non-Hive catalogs#

To provide access control for non-Hive catalogs, setting privacera.fallback-access-control to allow-all lets you setup a separate access control mechanism.