My Use Case
I was trying to test out Apache Ranger in order to give Presto column-level security over hive data. Presto itself doesn’t seem to support Ranger yet, though some github entries suggest it will soon. Ranger can integrate with hive though so that when presto queries hive, the security can work fine (apparently).
I started off by deploying a version of Hive I’ve worked with before; 2.3.5, the latest 2.x version (I avoided 3.x). After that, I deployed Presto .220, also the latest version.
This was all working great, so I moved on to Ranger. This is when I found out that the Ranger docs specifically say that it only works with Hive version 1.2.0:
Apache Ranger version 0.5.x is compatible with only the component versions mentioned below.
That came from this link: https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5.0+Installation.
I have a fairly stringent need for the security Ranger provides. So, I was willing to use a 1.x version of hive, depending on what the feature loss was. After all, quite a few big providers seem to use 1.x.
Unfortunately, the next thing I noticed was that Presto says: “The Hive connector supports Apache Hadoop 2.x and derivative distributions including Cloudera CDH 5 and Hortonworks Data Platform (HDP).”
That is coming from its latest documentation: https://prestodb.github.io/docs/current/connector/hive.html.
I’m not particularly excited to start digging through old versions of Presto as well.
I’m going to try to stick with Hive 2.x for now and a modern version of Presto. So, my options are:
- Research Ranger more and see if it can actually work with Hive 2.x. Various vendors seem to use Ranger and Hive/Presto together; so I’m curious to see how. Maybe the documentation on Ranger is just out of date (I know, being hopeful).
- Look at Ranger alternatives like Apache Sentry and see if they support Hive 2.x. Apparently Ranger is beating out Sentry in features, usage, and future support… so I’m not excited about using Sentry. But if it works, I can always migrate back to Ranger once its support grows for either Hive or Presto.
I starting digging in from JIRA and mailing lists and found that Ranger appears to have had work done on it as early as 2017 for supporting hive 2.3.2. Here’s a link. https://issues.apache.org/jira/browse/RANGER-1927.
So, I’m going to give installing ranger a shot on 2.3.5 and see if it works. If not, I’ll try with 2.3.2 and/or seek community help. Hopefully I’ll come back and update this afterward with some good news :).