...
Note that this documentation is referring to Authorization which is verifying if a user has permission to perform certain action, and not about Authentication (verifying the identity of the user). Strong authentication for tools like hive commandline is provided through the use of kerberos. There are additional authentication options for users of HiveServer2.
Hive Authorization options
It is useful to think of authorization in terms of 2 primary use cases of Hive.
...
This model is similar to the SQL standards based authorization mode, in that it provides grant/revoke statement based access control. However, the access control policy is different from SQL Standards based authorization, and they are not compatible. Use of this mode is also supported for hive commandline users. However, for reasons mentioned under discussion of SQL Standards based authorization (above), it is not a secure mode of authorization for hive commandline.
Addressing
...
authorization needs of multiple use cases
...
Storage based authorization provides a simple way to address all the use cases described above. However, if you also need finer grained access control for SQL users, you can also enable SQL standards based authorization mode in HiveServer2.
Ie, you can have storage based authorization enabled for the metastore api calls (in hive metastore), and have SQL standards based authorization enabled in HiveServer2 at the same time.
Storage Based Authorization/Metastore Server Security
...
This section describes the metastore server security feature added to Hive in release 0.10. This feature was introduced previously in HCatalog (see Storage Based Authorization).
The Need for Metastore Server Security
...
When multiple clients access the same metastore in a backing database, such as MySQL, the database connection credentials may be visible in the hive-site.xml
configuration file. A malicious or incompetent user could cause serious damage to metadata even though the underlying data is protected by HDFS access controls.
...
Also, when a Hive metastore server uses Thrift to communicate with clients and has a backing database for metadata storage and persistence, the authentication and authorization done on the client side cannot guarantee security on the metastore side.
To provide security for metadata, release 0.10 adds authorization capability to the metastore. (See HIVE-3705.)
Storage Based Authorization
...
When metastore server security is configured to use Storage Based Authorization, it uses the file system permissions for folders corresponding to the different metadata objects as the source of truth for the authorization policy. Use of Storage Based Authorization in metastore is recommended.
See details in the Storage Based Authorization document.
...
Configuration Parameters for Metastore Security
...
To enable Hive metastore server security, set these parameters in hive-site.xml
:
hive.metastore.pre.event.listeners
Set to
org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
.This turns on metastore-side security.
hive.security.metastore.authorization.manager
Set toorg.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider
.
This tells Hive which metastore-side authorization provider to use. The default setting usesDefaultHiveMetastoreAuthorizationProvider
, which implements the standard Hive grant/revoke model. To use an HDFS permission-based model (recommended) to do your authorization, you can useorg.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider
instead.Info title Version The
StorageBasedAuthorizationProvider
was introduced in Hive 0.10.0, running on the metastore side only (HIVE-3705). Starting in Hive 0.12.0 it also runs on the client side (HIVE-5048 and HIVE-5402).hive.security.metastore.authenticator.manager
Set to
org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
.
...
The snippet below shows the keys as they are in a default state in
hive-site.xml
(metastore-side security set up to use the default authorization/authentication, but disabled). Please edit in information as above to get the desired authorization behaviour:
No Format |
---|
<property> <name>hive.security.metastore.authorization.manager</name> <value>org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider</value> <description>authorization manager class name to be used in the metastore for authorization. The user defined authorization class should implement interface org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider. </description> </property> <property> <name>hive.security.metastore.authenticator.manager</name> <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value> <description>authenticator manager class name to be used in the metastore for authentication. The user defined authenticator should implement interface org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider. </description> </property> <property> <name>hive.metastore.pre.event.listeners</name> <value> </value> <description>pre-event listener classes to be loaded on the metastore side to run code whenever databases, tables, and partitions are created, altered, or dropped. Set to org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener if metastore-side authorization is desired. </description> </property> |
SQL Standards Based Authorization
...
Hive release 0.13.0 introduced authorization based on SQL standards. See SQL Standard Based Hive Authorization for details.
...