THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Storage Based Authorization
| Table of Contents |
|---|
Default Authorization Model of Hive
...
| Tip | ||
|---|---|---|
| ||
This feature is also available in Hive on the metastore-side, starting with release 0.10.0 (see Metastore Server Security in the Hive documentation). |
...
The implementation of the file-system based authorization model is available in the HCatalog packagethrough an authorization provider called StorageBasedAuthorizationProvider that is part of Hive. (Support for this was added to the Hive package in release 0.10.0 – see HIVE-3705 and Metastore Server Security in the Hive documentation.) So using this implementation requires installing the HCatalog package along with Hive.
The HCatalog jar needs to be added to the Hive classpath. You can add the following to hive-env.sh to ensure that it gets added:
| No Format |
|---|
export HIVE_AUX_JARS_PATH=<path to hcatalog jar>
|
Note : An earlier implementation of this called HdfsAuthorizationProvider used to exist in the hcatalog package, but has since been deprecated and removed as of Hive 0.14 trunk. If your config indicates use of HdfsAuthorizationProvider, please update to this config instead.
The following entries need to be added to hive-site.xml to enable authorization:
| No Format |
|---|
<property> <name>hive.security.authorization.enabled</name> <value>true</value> <description>enable or disable the hive client authorization</description> </property> <property> <name>hive.security.authorization.manager</name> <value>org.apache.hadoop.hive.hcatalogql.security.authorization.HdfsAuthorizationProvider<StorageBasedAuthorizationProvider</value> <description>the hive client authorization manager class name. The user defined authorization class should implement interface org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider. </description> </property> |
...
- Some metadata operations (mostly read operations) do not check for authorization. See https://issues.apache.org/jira/browse/HIVE-3009.
- The current implementation of Hive performs the authorization checks in the client. This means that malicious users can circumvent these checks.
- A different authorization provider (StorageDelegationAuthorizationProvider) needs to be used for working with HBase tables as well. But that is not well tested.
- Partition files and directories added by a Hive query don’t inherit permissions from the table. This means that even if you grant permissions for a group to access a table, new partitions will have read permissions only for the owner, if the default umask for the cluster is configured as such. See https://issues.apache.org/jira/browse/HIVE-3094. A separate "
hdfs chmod" command will be necessary to modify the permissions. - Although DDL statements for managing permissions have no effect in storage-based authorization, currently they do not return error messages. See https://issues.apache.org/jira/browse/HIVE-3010.
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
Previous: Notification Hive document: Authorization General: HCatalog Manual – WebHCat Manual – Hive Wiki Home – Hive Project Site |