Securing Apache Hive
Also available as:

External table access

As administrator, you must set file system permissions and enable storage-based authorization (SBA), a mix of Apache Ranger authorization and SBA, or just Ranger for users who want to access external tables.

External tables reside by default in /warehouse/tablespace/external on HDFS. To specify some other location of the external table, you need to include the specification in the table creation statement as shown in the following example:

CREATE EXTERNAL TABLE my_external_table (a string, b string)  
LOCATION '/tmp';

Hive assigns a default permission of 777 to the hive user, sets a umask to restrict subdirectories, and provides a default ACL to give Hive read and write access to all subdirectories. External tables in HDP 3.0 support the following permissions and authorization models:

  • SBA
  • SBA and Ranger
  • Ranger

You can use the mixed mode, SBA and Ranger, for low-level analytical processing of external tables.

Using the SBA permissions model

You must add Access ACLs to allow groups or users to create databases and tables in the space governed by SBA. You are authorized to query a table if you have file-level access to the underlying data. You configure impersonation in HiveServer to run operations on behalf of an end user. You cannot use LLAP.

Using the SBA and Ranger example

Assume that you are an administrator who creates a sales database and gives the sales group read-write permissions to the sales directory. This includes Default ACLs for the sales group to read from and write to the database. Users in the sales group set doAs=true, and are authorized under SBA to create external tables. Given the ACLs, both Hive and sales users can access all files and partitions.

To restrict certain users from accessing all files and partitions, you can use Ranger. Hive enforces access; however, if you give a sales user fewer options for accessing the tables through SBA, for example by setting a user's HDFS access to tables to read-only, Ranger cannot control that user's access.

Using the Ranger authorization model

If you now disable SBA and use only Ranger to give a specific user, who is not in the sales group, permission to create external tables in the sales-report database, the user can log in, use LLAP, and create a database. With Default ACLs in place, sales group users can also access the table.