THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Hive Authorization
Table of Contents |
---|
...
To enable Hive metastore server security, set these parameters in hive-site.xml
:
hive.
securitymetastore.
metastorepre.
authorizationevent.
managerlisteners
– Set toorg.apache.hadoop.hive.ql.security.authorization
.DefaultHiveMetastoreAuthorizationProvider.AuthorizationPreEventListener
. This turns on Metastore-side security.hive.security.metastore.authenticatorauthorization.manager
– Set toorg.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider
. This tells hive which metastore-side authorization provider to use. The DefaultHiveMetastoreAuthorizationProvider implements the standard hive grant/revoke model. To use a hdfs permission-based model to do your authorization, you can useorg.apache.hadoop.hive.ql.security.authorization
.HadoopDefaultMetastoreAuthenticatorStorageBasedAuthorizationProvider instead.hive.security.metastore.preauthenticator.event.listenersmanager
– Set toorg.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
.
The snippet below shows the keys as they are in a default state in hive-site.xml (metastore-side auth set up to use the default authorization
...
/authentication, but disabled). Please edit in information as above to get the desired authorization behaviour:
No Format |
---|
<property> <name>hive.security.metastore.authorization.manager</name> <value>org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider</value> <description>authorization manager class name to be used in the metastore for authorization. The user defined authorization class should implement interface org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider. </description> </property> <property> <name>hive.security.metastore.authenticator.manager</name> <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value> <description>authenticator manager class name to be used in the metastore for authentication. The user defined authenticator should implement interface org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider. </description> </property> <property> <name>hive.metastore.pre.event.listeners</name> <value> </value> <description>pre-event listener classes to be loaded on the metastore side to run code whenever databases, tables, and partitions are created, altered, or dropped. Set to org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener if metastore-side authorization is desired. </description> </property> |