Updated on 2024-11-29 GMT+08:00

Overview

HetuEngine provides the following two permission control models when Kerberos authentication is enabled for the cluster (the cluster is in security mode). By default, the Ranger permission model is used. When Kerberos authentication is disabled for the cluster (the cluster is in normal mode), the Ranger permission model is provided but disabled by default.

The following table lists the differences between Ranger and MetaStore. Both Ranger and MetaStore support user, user group, and role authentication.

Table 1 Differences between Ranger and MetaStore

Permission Control Mode

Permission Model

Supported Data Source

Description

Ranger

PBAC

Hive, HBase, Elasticsearch, GaussDB, HetuEngine, ClickHouse, IoTDB, Hudi, MySQL

Row filtering, column masking, and fine-grained permission control are supported.

MetaStore

RBAC

Hive

-

Permission Principles and Constraints

  • Accessing data sources in the same cluster using HetuEngine

    If Ranger authentication is enabled for HetuEngine, the PBAC permission policy of Ranger is used for authentication.

    If Ranger authentication is disabled for HetuEngine, the RBAC permission policy of MetaStore is used for authentication.

  • Accessing data sources in different clusters using HetuEngine

    The permission policy is controlled by the permissions of the HetuEngine client and the data source. (In Hive scenarios, it depends on HDFS.)

  • When querying a view, you only need to grant the select permission on the target view. When querying a join table using a view, you need to grant the select permission on the view and table.
  • Columns in GaussDB and HetuEngine data sources cannot be masked.

When the permission control type of HetuEngine is changed, the HetuEngine service, including the HetuEngine compute instance running on the HSConsole page, needs to be restarted.