Versions Compared

Old Version 13

changes.mady.by.user Lefty Leverenz

Saved on

compared with

New Version 14

changes.mady.by.user Sushanth Sowmyan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

Hive Authorization

Table of Contents

...

To enable Hive metastore server security, set these parameters in hive-site.xml:

  • hive.securitymetastore.metastorepre.authorizationevent.managerlisteners – Set to org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider.AuthorizationPreEventListener. This turns on Metastore-side security.
  • hive.security.metastore.authenticatorauthorization.manager – Set to org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider. This tells hive which metastore-side authorization provider to use. The DefaultHiveMetastoreAuthorizationProvider implements the standard hive grant/revoke model. To use a hdfs permission-based model to do your authorization, you can use org.apache.hadoop.hive.ql.security.authorization.HadoopDefaultMetastoreAuthenticatorStorageBasedAuthorizationProvider instead.
  • hive.security.metastore.preauthenticator.event.listenersmanager – Set to org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator.

 

The snippet below shows the keys as they are in a default state in hive-site.xml (metastore-side auth set up to use the default authorization

...

/authentication, but disabled). Please edit in information as above to get the desired authorization behaviour:

 

 

 

 

No Format
<property>
  <name>hive.security.metastore.authorization.manager</name>
  <value>org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider</value>
  <description>authorization manager class name to be used in the metastore for authorization.
  The user defined authorization class should implement interface
  org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider.
  </description>
 </property>

<property>
  <name>hive.security.metastore.authenticator.manager</name>
  <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
  <description>authenticator manager class name to be used in the metastore for authentication.
  The user defined authenticator should implement interface 
  org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider.
  </description>
</property>

<property>
  <name>hive.metastore.pre.event.listeners</name>
  <value> </value>
  <description>pre-event listener classes to be loaded on the metastore side to run code
  whenever databases, tables, and partitions are created, altered, or dropped.
  Set to org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
  if metastore-side authorization is desired.
  </description>
</property>