...
See details in the HCatalog Storage Based Authorization document.
Starting in hive Hive 0.14, storage based authorization authorizes read privilege on database and tables. The get_database
api call needs database directory read privilege. The get_table_*
calls that fetch table information and get_partition_*
calls to list the partitions of a table require read privilege on the table directory. It is enabled by default with Storagebased storage based authorization. Set See hive.security.metastore.authorization.auth.reads in the next section on configuration.
...
hive.metastore.pre.event.listeners
Set to
org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
.This turns on metastore-side security.
hive.security.metastore.authorization.manager
Set to
org.apache.hadoop.hive.ql.security.authorization.
StorageBasedAuthorizationProviderStorageBasedAuthorizationProvider
.This tells Hive which metastore-side authorization provider to use. The default setting uses
DefaultHiveMetastoreAuthorizationProvider
, which implements the standard Hive grant/revoke model. To use an HDFS permission-based model (recommended) to do your authorization, useStorageBasedAuthorizationProvider
as instructed above.Info title Versions 0.10.0 and 0.12.0 The
StorageBasedAuthorizationProvider
was introduced in Hive 0.10.0, running on the metastore side only (HIVE-3705). Starting in Hive 0.12.0 it also runs on the client side (HIVE-5048 and HIVE-5402).
hive.security.metastore.authenticator.manager
Set to
org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
.
hive.security.metastore.authorization.auth.reads
When this is set to true, hive Hive metastore authorization also checks for read access. It is set to true by default. Read authorization checks were introduced in hive Hive 0.14.0.
Sample hive-site.xml: Default Settings
...