Help Center/ DataArts Studio/ User Guide/ DataArts Security/ Unified Permission Governance/ Controlling Data Access Using Permissions/ Synchronizing MRS Hive and Hetu Permissions
Updated on 2024-10-23 GMT+08:00
View PDF
Share

Synchronizing MRS Hive and Hetu Permissions

If MRS Hetu is connected to MRS Hive and Ranger is used for permission control, the Ranger permissions of Hetu rather than of Hive are used to authenticate the access to Hive data from Hetu in the same cluster.

To avoid repeated configuration of Hive data permissions on Hetu, you can configure a Hetu permission synchronization policy so that Hive permissions can be automatically synchronized to Hetu. This improves permission management consistency and usability.

The Hetu permission synchronization policies configured for a DataArts Studio instance are visible to and take effect for all the workspaces of the instance.

Prerequisites

Constraints

  • Only the DAYU Administrator, Tenant Administrator, or data security administrator can create, modify, or delete Hetu permission synchronization policies. Other common users do not have permission to perform these operations.
  • Hive permissions can be synchronized only to Hetu in the same MRS cluster.
  • When configuring a Hetu permission synchronization policy, you need to configure mappings between Hive and Hetu catalogs. If a Hive source is connected to multiple Hetu catalogs, you need to configure multiple synchronization policies.
  • After a Hetu permission synchronization policy is created, existing Hive permissions will not be automatically synchronized to Hetu. Instead, the permissions will be synchronized to Hetu only after a permission synchronization is triggered. This prolongs the permission synchronization duration.
  • Hive permission synchronization is not affected if permissions fail to be synchronized to Hetu.
  • After a Hetu permission synchronization policy is deleted, the permissions that have been synchronized to Hetu will not be revoked.
  • The names of Ranger policies for synchronizing permissions to Hetu are in the following format: Catalog name_Schema name+Table name+Column name. If a policy with the same resource and name already exists on Hetu Ranger, permissions will fail to be synchronized to Hetu. In this case, you must manually clear that existing policy on Hetu Ranger.

Creating a Hetu Permission Synchronization Policy

  1. On the DataArts Studio console, locate a workspace and click DataArts Security.
  2. In the left navigation pane, choose Hetu Permission Synchronization.

    Figure 1 Hetu Permission Synchronization page

  3. Click Create and set the parameters listed in Table 1.

    Figure 2 Setting parameters for a Hetu permission synchronization policy

    The following table lists the parameters for a Hetu permission synchronization policy.
    Table 1 Policy parameters

    Parameter

    Description

    *Policy Name

    Name of the Hetu permission synchronization policy. It must be unique for each data table.

    You are advised to include the cluster name and catalog name in the policy name for easy management.

    Policy Description

    A description of the Hetu permission synchronization policy to be created. It can contain a maximum of 255 characters.

    Permission Source

    *Data Source Type

    Only MRS Hive is supported.

    *Data Connection

    If no data connection is available, create one by referring to Creating a DataArts Studio Data Connection.

    Cluster Name

    The data source cluster in the data connection is automatically selected.

    Permission Target

    *Data Source Type

    Only MRS Hetu is supported.

    *Data Connection

    If no data connection is available, create one by referring to Creating a DataArts Studio Data Connection.

    The cluster to which the selected Hetu connection belongs must be the same as that to which the Hive connection belongs.

    Cluster Name

    The data source cluster in the data connection is automatically selected.

    *Catalog

    Name of the Hetu data source, which is hive by default. Multiple Hetu catalogs can connect to the same Hive. You can also select another catalog of the cluster.

  4. Click Submit.
  5. When Hive permission synchronization is triggered, permissions are synchronized to Ranger on Hetu. The policy is named in the following format: Catalog name_Schema name+Table name+Column name. Table 2 shows the policy mapping between Hive and Hetu.

    Table 2 Policy mapping between Hive and Hetu

    Hive

    Hetu

    Resource mapping

    Hive data source

    Hetu Catalog

    Hive database

    Hetu Schema

    Hive table

    Hetu table

    Hive column

    Hetu column

    Permission mapping

    select

    select and use

    update

    insert, delete, and update

    create

    create

    drop

    drop

    alter

    alter

    all

    all

Related Operations

  • Editing a policy: On the Hetu Permission Synchronization page, locate a policy and click Edit in the Operation column to edit the policy.
  • Deleting policies: On the Hetu Permission Synchronization page, locate a policy and click Delete in the Operation column to delete the policy. To delete multiple policies, select them and click Delete above the policy list.

    The deletion operation cannot be undone. Exercise caution when performing this operation.

  • Viewing policy details: On the Hetu Permission Synchronization page, locate a policy, and click Details in the Operation column to view details of the policy.
    Figure 3 Viewing policy details