...
In order to use Hive authorization, there are two parameters that should be set in hive-site.xml
:
Code Blocknoformat |
---|
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
<description>enable or disable the hive client authorization</description>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
<description>the privileges automatically granted to the owner whenever a table gets created.
An example like "select,drop" will grant select and drop privilege to the owner of the table</description>
</property>
|
...
Creating/Dropping/Using Roles
Create/Drop Role
Code Blocknoformat |
---|
CREATE ROLE role_name
DROP ROLE role_name
|
Grant/Revoke Roles
Code Blocknoformat |
---|
GRANT ROLE role_name [, role_name] ...
TO principal_specification [, principal_specification] ...
REVOKE ROLE role_name [, role_name] ...
FROM principal_specification [, principal_specification] ...
principal_specification
: USER user
| GROUP group
| ROLE role
|
Viewing Granted Roles
Code Blocknoformat |
---|
SHOW ROLE GRANT principal_specification
|
...
- ALL - Gives users all privileges
- ALTER - Allows users to modify the metadata of an object
- UPDATE - Allows users to modify the physical data of an object
- CREATE - Allows users to create objects. For a database, this means users can create tables, and for a table, this means users can create partitions
- DROP - Allows users to drop objects
- INDEX - Allows users to create indexes on an object (Note: this is not currently implemented)
- LOCK - Allows users to lock or unlock tables when concurrency is enabled
- SELECT - Allows users to access data for objects
- SHOW_DATABASE - Allows users to view available databases
Grant/Revoke Privileges
Code Blocknoformat |
---|
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_type]
TO principal_specification [, principal_specification] ...
[WITH GRANT OPTION]
REVOKE
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_type priv_level]
FROM principal_specification [, principal_specification] ...
REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user [, user] ...
object_type:
TABLE
| DATABASE
priv_level:
db_name
| tbl_name
|
Viewing Granted Privileges
Code Blocknoformat |
---|
SHOW GRANT principal_specification
[ON object_type priv_level [(column_list)]]
|
...
hive.metastore.pre.event.listeners
– Set to org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
.
Code Blocknoformat |
---|
<property>
<name>hive.security.metastore.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider</value>
<description>authorization manager class name to be used in the metastore for authorization.
The user defined authorization class should implement interface
org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider.
</description>
</property>
<property>
<name>hive.security.metastore.authenticator.manager</name>
<value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
<description>authenticator manager class name to be used in the metastore for authentication.
The user defined authenticator should implement interface
org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider.
</description>
</property>
<property>
<name>hive.metastore.pre.event.listeners</name>
<value> </value>
<description>pre-event listener classes to be loaded on the metastore side to run code
whenever databases, tables, and partitions are created, altered, or dropped.
Set to org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
if metastore-side authorization is desired.
</description>
</property>
|