THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Note, that through the use of HDFS ACL (available in Hadoop 2.4 onwards) you have a lot of flexibility in controlling access to the file system, which in turn provides more flexibility with Storage Based Authorization. This functionality is available as of Hive 0.14 (HIVE-7583).
While relying on Storage based authorization for restricting access, you still need to enable one of the security options 2 or 3 listed below or use FallbackHiveAuthorizer to protect actions within the HiveServer2 instance.
Fall Back Authorizer
You need to use Hive 2.3.4 or 3.1.1 or later to use Fall Back Authorizer.
Admin needs to specify the following entries in
hiveserver2-site.xml:
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory</value>
</property>
FallbackHiveAuthorizerFactory will do the following to mitigate above mentioned threat:
- Disallow local file location in sql statements except for admin
- Allow "set" only selected whitelist parameters
- Disallow dfs commands except for admin
- Disallow "ADD JAR" statement
- Disallow "COMPILE" statement
- Disallow "TRANSFORM" statement
2 SQL Standards Based Authorization in HiveServer2
...