Hive Authorization
Table of Contents |
---|
Hive Client Authorization
This section describes Hive security using the basic authorization scheme, which regulates access to Hive metadata on the client side. Starting with Hive release 0.10, additional security measures can be enabled to regulate access on the metastore side, as described in Metastore Server Security below.
Disclaimer
Hive authorization is not completely secure. In its current form, the The basic authorization scheme is intended primarily to prevent good users from accidentally doing bad things, but makes no promises about preventing malicious users from doing malicious things. Starting in Hive release 0.10, however, metastore-side security can be enabled to prevent malicious access to metadata in a metastore server configuration.
Prerequisites
In order to use Hive authorization, there are two parameters that should be set in hive-site.xml
:
Code Block |
---|
<property> <name>hive.security.authorization.enabled</name> <value>true</value> <description>enable or disable the hive client authorization</description> </property> <property> <name>hive.security.authorization.createtable.owner.grants</name> <value>ALL</value> <description>the privileges automatically granted to the owner whenever a table gets created. An example like "select,drop" will grant select and drop privilege to the owner of the table</description> </property> |
Note that, by default, the hive.security.authorization.createtable.owner.grants are set to null, which would result in the creator of a table having no access to the table.
Users, Groups, and Roles
At the core of Hive's authorization system are users, groups, and roles. Roles allow administrators to give a name to a set of grants which can be easily reused. A role may be assigned to users, groups, and other roles. For example, consider a system with the following users and groups:
...
It is important to realize that Hive Metastore only controls authorization for metadata, and the underlying data is controlled by HDFS, so if permissions and privileges between the two systems are not in sync, users may have access to metadata, but not the physical data. If the user -> group mappings across the Metastore and Namenode are not in sync, as in the scenarios above, a user may have the privileges required to access a table according to the Metastore, but may not have permission to access the underlying files according to the Namenode. This could also happen due to administrator intervention, if permissions on the files were changed by hand, but Metastore grants had not been updated.
Creating/Dropping/Using Roles
Create/Drop Role
Code Block |
---|
CREATE ROLE role_name DROP ROLE role_name |
Grant/Revoke Roles
Code Block |
---|
GRANT ROLE role_name [, role_name] ... TO principal_specification [, principal_specification] ... REVOKE ROLE role_name [, role_name] ... FROM principal_specification [, principal_specification] ... principal_specification : USER user | GROUP group | ROLE role |
Viewing Granted Roles
Code Block |
---|
SHOW ROLE GRANT principal_specification |
Privileges
The following privileges are supported in Hive:
- ALL - Gives users all privileges
- ALTER - Allows users to modify the metadata of an object
- UPDATE - Allows users to modify the physical data of an object
- CREATE - Allows users to create objects. For a database, this means users can create tables, and for a table, this means users can create partitions
- DROP - Allows users to drop objects
- INDEX - Allows users to create indexes on an object (Note: this is not currently implemented)
- LOCK - Allows users to lock or unlock tables when concurrency is enabled
- SELECT - Allows users to access data for objects
- SHOW_DATABASE - Allows users to view available databases
Grant/Revoke Privileges
Code Block |
---|
GRANT priv_type [(column_list)] [, priv_type [(column_list)]] ... [ON object_type] TO principal_specification [, principal_specification] ... [WITH GRANT OPTION] REVOKE priv_type [(column_list)] [, priv_type [(column_list)]] ... [ON object_type priv_level] FROM principal_specification [, principal_specification] ... REVOKE ALL PRIVILEGES, GRANT OPTION FROM user [, user] ... object_type: TABLE | DATABASE priv_level: db_name | tbl_name |
Viewing Granted Privileges
Code Block |
---|
SHOW GRANT principal_specification [ON object_type priv_level [(column_list)]] |
Hive Operations and Required Privileges
As of the release of Hive 0.7, only these operations require permissions, according to org.apache.hadoop.hive.ql.plan.HiveOperation:
Operation | ALTER | UPDATE | CREATE | DROP | INDEX | LOCK | SELECT | SHOW_DATABASE |
LOAD |
| X |
|
|
|
|
|
|
EXPORT |
|
|
|
|
|
| X |
|
IMPORT | X | X |
|
|
|
|
|
|
CREATE TABLE |
|
| X |
|
|
|
|
|
CREATE TABLE AS SELECT |
|
| X |
|
|
| X |
|
DROP TABLE |
|
|
| X |
|
|
|
|
SELECT |
|
|
|
|
|
| X |
|
ALTER TABLE ADD COLUMN | X |
|
|
|
|
|
|
|
ALTER TABLE REPLACE COLUMN | X |
|
|
|
|
|
|
|
ALTER TABLE RENAME | X |
|
|
|
|
|
|
|
ALTER TABLE ADD PARTITION |
|
| X |
|
|
|
|
|
ALTER TABLE DROP PARTITION |
|
|
| X |
|
|
|
|
ALTER TABLE ARCHIVE |
| X |
|
|
|
|
|
|
ALTER TABLE UNARCHIVE |
| X |
|
|
|
|
|
|
ALTER TABLE SET PROPERTIES | X |
|
|
|
|
|
|
|
ALTER TABLE SET SERDE | X |
|
|
|
|
|
|
|
ALTER TABLE SET SERDE | X |
|
|
|
|
|
|
|
ALTER TABLE SET SERDEPROPERTIES | X |
|
|
|
|
|
|
|
ALTER TABLE CLUSTER BY | X |
|
|
|
|
|
|
|
ALTER TABLE PROTECT MODE | X |
|
|
|
|
|
|
|
ALTER PARTITION PROTECT MODE | X |
|
|
|
|
|
|
|
ALTER TABLE SET FILEFORMAT | X |
|
|
|
|
|
|
|
ALTER PARTITION SET FILEFORMAT | X |
|
|
|
|
|
|
|
ALTER TABLE SET LOCATION |
| X |
|
|
|
|
|
|
ALTER PARTITION SET LOCATION |
| X |
|
|
|
|
|
|
ALTER TABLE CONCATENATE |
| X |
|
|
|
|
|
|
ALTER PARTITION CONCATENATE |
| X |
|
|
|
|
|
|
SHOW DATABASES |
|
|
|
|
|
|
| X |
LOCK TABLE |
|
|
|
|
| X |
|
|
UNLOCK TABLE |
|
|
|
|
| X |
|
|
Metastore Server Security
This section describes the metastore server security feature introduced in Hive release 0.10.
The Need for Metastore Server Security
When multiple clients access the same metastore in a backing database, such as MySQL, the database connection credentials may be visible in the hive-site.xml
configuration file. A malicious or incompetent user could cause serious damage to metadata even though the underlying data is protected by HDFS access controls.
Also, when a Hive metastore server uses Thrift to communicate with clients and has a backing database for metadata storage and persistence, the authentication and authorization done on the client side cannot guarantee security on the metastore side.
To provide security for metadata, release 0.10 adds authorization capability to the metastore. (See HIVE-3705.) Metastore security is based on access rights to the underlying storage system, not on privileges granted to users, groups, and roles.
Configuration Parameters for Metastore Security
To enable Hive metastore server security, set these parameters in hive-site.xml
:
hive.security.metastore.authorization.manager
– Set toorg.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider
.
hive.security.metastore.authenticator.manager
– Set toorg.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
.
hive.metastore.pre.event.listeners
– Set toorg.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
.
Code Block |
---|
<property>
<name>hive.security.metastore.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider</value>
<description>authorization manager class name to be used in the metastore for authorization.
The user defined authorization class should implement interface
org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider.
</description>
</property>
<property>
<name>hive.security.metastore.authenticator.manager</name>
<value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
<description>authenticator manager class name to be used in the metastore for authentication.
The user defined authenticator should implement interface
org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider.
</description>
</property>
<property>
<name>hive.metastore.pre.event.listeners</name>
<value> </value>
<description>pre-event listener classes to be loaded on the metastore side to run code
whenever databases, tables, and partitions are created, altered, or dropped.
Set to org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
if metastore-side authorization is desired.
</description>
</property>
|