Data Access
Also available as:
PDF
loading table of contents...

Configuring Storage-Based Authorization

Prerequisite

You must have admin role privileges.

Steps

  1. Set the following configuration properties in the hive-site.xml file to enable storage-based authorization:

    • Configuration Property

      Description

      hive.security.authorization.enabled

      Enables or disables Hive client authorization done as part of query compilation. This property must be set to false in the hive-site.xml file for storage-based authorization, as it is already enabled via checks on metastore API calls.

      hive.server2.enable.doAs

      Allows Hive queries to be run by the user who submits the query rather than the Hive user. Must be set to true for storage-based access.

      hive.metastore.pre.event.listeners

      Enables Metastore security. Specify the following value:

      org.apache.hadoop.hive.ql.security.authorization.

      AuthorizationPreEventListener.

      hive.security.metastore.authorization.manager

      The class name of the Hive Metastore authorization manager. Specify the following value for storage-based authorization:

      org.apache.hadoop.hive.ql.security.authorization.

      StorageBasedAuthorizationProvider.

      These properties appear in the following snippet of the hive-site.xml file:

      <property>
         <name>hive.security.authorization.enabled</name>
         <value>false</value>
      </property>
      
      <property>
         <name>hive.security.authorization.manager</name>
         <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
      </property>
      
      <property>
         <name>hive.server2.enable.doAs</name>
         <value>true</value>
      </property>
      
      <property>
         <name>hive.metastore.pre.event.listeners</name>
         <name>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</name>
      </property>
      
      <property>
         <name>hive.security.metastore.authorization.manager</name>
         <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
      </property>

    2. Determine the required permissions of the tables and databases in your environment. See the "Permissions for Apache Hive Operations" section for further information.

    3. Use either of the following methods to create new tables and databases with appropriate storage-based permissions:

    • Create the table or database in the Hive CLI, then manually modify the POSIX permissions using the HDFS file system commands.

    • Use the HCatalog CLI

    The HCatalog command line tool uses the same syntax as Hive, but creates the table or database with a corresponding directory owned by the user creating it. Assigning a group permission is also supported. However, there are known issues with the HCatalog CLI:

    • Some metadata operations do not check for authorization. See Apache JIRA HIVE_3009 for more information.

    • Hive performs authorization checks on the client, rather than the server. This allows malicious users to circumvent these checks.

    • DDL statements for managing permissions have no effect on storage-based authorization, but they do not return error messages. See Apache JIRA HIVE-3010 for more information.