Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: add link to SQL standard auth doc in first paragraph

Table of Contents

This section document describes Hive security using the basic authorization scheme, which regulates access to Hive metadata on the client side.  This was the default authorization mode used when authorization was enabled. The default was changed to SQL Standard authorization in Hive 2.0 (HIVE-12429).

Disclaimer

Hive authorization is not completely secure. The basic authorization scheme is intended primarily to prevent good users from accidentally doing bad things, but makes no promises about preventing malicious users from doing malicious things.  See the hive Hive authorization main page for the secure options.

Prerequisites

In order to use Hive authorization, there are two parameters that should be set in hive-site.xml:

...

Note that, by default, the hive.security.authorization.createtable.owner.grants are set to null, which would result in the creator of a table having no access to the table.

Users, Groups, and Roles

At the core of Hive's authorization system are users, groups, and roles. Roles allow administrators to give a name to a set of grants which can be easily reused. A role may be assigned to users, groups, and other roles. For example, consider a system with the following users and groups:

...

It is important to realize that Hive Metastore only controls authorization for metadata, and the underlying data is controlled by HDFS, so if permissions and privileges between the two systems are not in sync, users may have access to metadata, but not the physical data. If the user -> group mappings across the Metastore and Namenode are not in sync, as in the scenarios above, a user may have the privileges required to access a table according to the Metastore, but may not have permission to access the underlying files according to the Namenode. This could also happen due to administrator intervention, if permissions on the files were changed by hand, but Metastore grants had not been updated.

Names of Users and Roles

Role names are case sensitive. In Hive 0.13, however, there was a bug that caused it to have case insensitive . That is, “marketing” and “MarkEting” refer to same rolebehavior. That issue has been fixed in Hive 0.14.

User names are are also case sensitive. This is because, unlike Unlike role names, user names are not managed within Hive.

Info
titleQuoted Identifiers in Version 0.13.0+

As of Hive 0.13.0, user and role names may optionally be surrounded by backtick characters (`) when the configuration parameter hive.support.quoted.identifiers is set to column (default value). All Unicode characters are permitted in the quoted identifiers, with double backticks (``) representing a backtick character. However when hive.support.quoted.identifiers is set to none, or in Hive 0.12.0 and earlier, only alphanumeric and underscore characters are permitted in user names and role names.

For details, see HIVE-6013 and Supporting Quoted Identifiers in Column Names.

As of Hive 0.14, user may be optionally surrounded by backtick characters (`) irrespective of the hive.support.quoted.identifiers setting.

Creating/Dropping/Using Roles

Create/Drop Role

No Format
CREATE ROLE role_name

DROP ROLE role_name

Grant/Revoke Roles

No Format
GRANT ROLE role_name [, role_name] ...
TO principal_specification [, principal_specification] ...
[WITH ADMIN OPTION]

REVOKE [ADMIN OPTION FOR] ROLE role_name [, role_name] ...
FROM principal_specification [, principal_specification] ...

principal_specification:
    USER user
  | GROUP group
  | ROLE role
Info
titleVersion

GRANT ROLE added the optional WITH ADMIN OPTION clause in Hive 0.13.0 (HIVE-5923).

REVOKE ROLE will add the optional ADMIN OPTION FOR clause in Hive 0.14.0 (HIVE-6252).

 

Viewing Granted Roles

No Format
SHOW ROLE GRANT principal_specification
 
principal_specification:
    USER user
  | GROUP group
  | ROLE role
Info
titleVersion

The output of SHOW ROLE GRANT is in tabular format starting with Hive 0.13.0 (HIVE-6204).

Privileges

The following privileges are supported in Hive:

  • ALL - Gives users all privileges
  • ALTER - Allows users to modify the metadata of an object
  • UPDATE - Allows users to modify the physical data of an object
  • CREATE - Allows users to create objects. For a database, this means users can create tables, and for a table, this means users can create partitions
  • DROP - Allows users to drop objects
  • INDEX - Allows users to create indexes on an object (Note: this is not currently implemented)
  • LOCK - Allows users to lock or unlock tables when concurrency is enabled
  • SELECT - Allows users to access data for objects
  • SHOW_DATABASE - Allows users to view available databases

Grant/Revoke Privileges

No Format
GRANT
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    [ON object_typespecification]
    TO principal_specification [, principal_specification] ...
    [WITH GRANT OPTION]

REVOKE [GRANT OPTION FOR]
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    [ON object_type priv_levelspecification]
    FROM principal_specification [, principal_specification] ...

REVOKE ALL PRIVILEGES, GRANT OPTION
    FROM user [, user] ...

priv_type:
    ALL | ALTER | UPDATE | CREATE | DROP
  | INDEX | LOCK | SELECT | SHOW_DATABASE 
 
object_typespecification:
    TABLE tbl_name
  | DATABASE

priv_level:
    db_name
  | tbl_name
 
principal_specification:
    USER user
  | GROUP group
  | ROLE role
Info
titleVersion

REVOKE priv_type will add the optional GRANT OPTION FOR clause in Hive 0.14.0 (HIVE-7404).

 

Viewing Granted Privileges

No Format
SHOW GRANT principal_specification
[ON object_typespecification priv_level [(column_list)]]
 
principal_specification:
    USER user
  | GROUP group
  | ROLE role
 
object_typespecification:
    TABLE tbl_name
  | DATABASE

priv_level:
    db_name
  | tbl_name
Info
titleVersion

The output of SHOW GRANT is in tabular format starting with Hive 0.13.0 (HIVE-6204).

 

Hive Operations and Required Privileges

As of the release of Hive 0.7, only these operations require permissions, according to org.apache.hadoop.hive.ql.plan.HiveOperation:

...