Overview

Versions earlier than MRS 3.3.0, HetuEngine supports permission control for clusters in security mode. For clusters in non-security mode, permission control is not performed.

In security mode, HetuEngine provides two permission control modes. The Ranger mode is used by default.

MRS 3.3.0 and later, HetuEngine provides the following two permission control models when Kerberos authentication is enabled for the cluster (the cluster is in security mode). By default, the Ranger permission model is used. When Kerberos authentication is disabled for the cluster (the cluster is in normal mode), the Ranger permission model is provided but disabled by default.

• For details about the Ranger mode, see HetuEngine Ranger-based Permission Control.
• For details about the MetaStore mode, see HetuEngine MetaStore-based Permission Control.

The following table lists the differences between Ranger and MetaStore. Both Ranger and MetaStore support user, user group, and role authentication.

Permission Principles and Constraints

• Accessing data sources in the same cluster using HetuEngine

  If Ranger authentication is enabled for HetuEngine, the PBAC permission policy of Ranger is used for authentication.

  If Ranger authentication is disabled for HetuEngine, the RBAC permission policy of MetaStore is used for authentication.

• Accessing data sources in different clusters using HetuEngine

  The permission policy is controlled by the permissions of the HetuEngine client and the data source. (In Hive scenarios, it depends on HDFS.)

• When querying a view, you only need to grant the select permission on the target view. When querying a join table using a view, you need to grant the select permission on the view and table.

When the permission control type of HetuEngine is changed, the HetuEngine service, including the HetuEngine compute instance running on the HSConsole page, needs to be restarted.