THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Action | Select | Insert | Update | Delete | Ownership | Admin | URI Privilege (RWX Permission + Ownership) |
|---|---|---|---|---|---|---|---|
| CREATE TABLE | Y (of database) | Y (for create external table – the location) | |||||
| DROP TABLE | Y | ||||||
| DESCRIBE TABLE | Y | ||||||
| SHOW PARTITIONS | Y | ||||||
| ALTER TABLE LOCATION | Y | Y (for new location) | |||||
| ALTER PARTITION LOCATION | Y | Y (for new partition location) | |||||
| ALTER TABLE ADD PARTITION | Y | Y (for partition location) | |||||
| ALTER TABLE DROP PARTITION | Y | ||||||
| ALTER TABLE (all of them except the ones above) | Y | ||||||
| TRUNCATE TABLE | Y | ||||||
| CREATE VIEW | Y + G | ||||||
| ALTER VIEW PROPERTIES | Y | ||||||
| ALTER VIEW RENAME | Y | ||||||
| DROP VIEW PROPERTIES | Y | ||||||
| DROP VIEW | Y | ||||||
| ANALYZE TABLE | Y | Y | |||||
| SHOW COLUMNS | Y | ||||||
| SHOW TABLE STATUS | Y | ||||||
| SHOW TABLE PROPERTIES | Y | ||||||
| CREATE TABLE AS SELECT | Y (of input) | Y (of database) | |||||
| CREATE INDEX | Y (of table) | ||||||
| DROP INDEX | Y | ||||||
| ALTER INDEX REBUILD | Y | ||||||
| ALTER INDEX PROPERTIES | Y | ||||||
| SELECT | Y | ||||||
| INSERT | Y | Y (for OVERWRITE) | |||||
| UPDATE | Y | ||||||
| DELETE | Y | ||||||
| LOAD | Y (output) | Y (output) | Y (input location) | ||||
| SHOW CREATE TABLE | Y+G | ||||||
| CREATE FUNCTION | Y | ||||||
| DROP FUNCTION | Y | ||||||
| CREATE MACRO | Y | ||||||
| DROP MACRO | Y | ||||||
| MSCK (metastore check) | Y | ||||||
| ALTER DATABASE | Y | ||||||
| CREATE DATABASE | Y (if custom location specified) | ||||||
| EXPLAIN | Y | ||||||
| DROP DATABASE | Y |
Configuration
For Hive 0.13.x
Set the following in hive-site.xml:
...
Start HiveServer2 with the following additional command-line options:
- -hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
- -hiveconf hive.security.authorization.enabled=true
- -hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator
- -hiveconf hive.metastore.uris=' '
For Hive 0.14 and newer:
Set the following in hive-site.xml:
- hive.server2.enable.doAs to false.
- hive.users.in.admin.role to the list of comma-separated users who need to be added to admin role. Note that a user who belongs to the admin role needs to run the "
set role" command before getting the privileges of the admin role, as this role is not in current roles by default. Add org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly to hive.security.metastore.authorization.manager. (It takes a comma separated list, so you can add it along with StorageBasedAuthorization parameter, if you want to enable that as well).
This setting disallows any of the authorization api calls to be invoked in a remote metastore. HiveServer2 can be configured to use embedded metastore, and that will allow it to invoke metastore authorization api. Hive cli and any other remote metastore users would be denied authorization when they try to make authorization api calls. This restricts the authorization api to privileged HiveServer2 process. You should also ensure that the metastore rdbms access is restricted to the metastore server and hiverserver2.hive.security.authorization.manager to org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory. This will ensure that any table or views created by hive-cli have default privileges granted for the owner.
Set the following in hiveserver2-site.xml:
- -hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
...