THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
| Table of Contents |
|---|
Status of Hive Authorization before hive 0.13
The default authorization in hive is not designed with the intent to protect against malicious users from accessing data they should not be accessing. It only helps in preventing users from accidentally doing operations they are not supposed to. It is also incomplete because it does not have authorization checks for many operations including the grant statement. The authorization checks happen during hive query compilation. But as the user is allowed to execute dfs commands, user defined functions and shell commands, it is possible to bypass the client security checks.
...
The default authorization model in hive can be used to provide fine grained access control by creating views and granting access to views instead of the underlying table.
SQL Standards based hive authorization
SQL standards based authorization option (introduced in hive 0.13) provides a third option for authorization in hive. This is recommended because it allows Hive to be fully SQL compliant in its authorization model without causing backward compatibility issues for current users. As users migrate to this more secure model, the current default authorization could be deprecated. This authorization mode can be used in conjunction with storage based authorization on the metastore server. Like the current default authorization in hive, this will also be enforced at query compilation time. To provide security through this option, the client will have to be secured. This can be done by allowing users access only through hive server2, and by restricting the user code and non sql commands that can be run. The checks will happen against the user who submits the request, but the query will run as the hive server user. The directories and files for input data would have read access for this hive server user. For users who don’t have the need to protect against malicious users, this could potentially be supported through the hive command line as well.
...
Most users such as business analysts tend to use SQL and odbc/jdbc through HiveServer2 and their access can be controlled using this authorization model.
Restrictions on hive commands,statements
Commands such as dfs,add,delete,compile,reset are disabled when this authorization is enabled.
...
To enable users to use functions, the ability to create permanent functions has been added. A user in admin role can run commands to create these functions, that all users can then use.
Privileges
● SELECT privilege - gives read access to object
...
● ALL PRIVILEGES - gives all privileges
Objects
● The privileges will apply to table and views. The above privileges are not supported on databases.
Object ownership
For certain actions, the ownership of the object (table/view/database) determines if you are authorized to perform the action.
Users and Roles
Privileges can be granted to users as well as roles.
Users can belong to one or more roles.
There are two roles with special meaning - *public* and *admin*.
All users belong to the *public* role. You use this role in your grant statement to grant the privilege to all users.
When a user runs a hive query/command, the privileges granted to the user and her ‘current roles’ are checked. The current roles can be seen using the ‘show current roles;’ command. All roles except for the *admin* role will be in the current roles by default.
To set a specific role as the current role, you need to use the ‘set role’ command. See the command description for details.
Users who do the work of a ‘data base administrator’ are expected to be added to the *admin* role.
They have privileges for running additional commands such as ‘create role’ and ‘drop role’. They can also access objects that they haven’t been given explicit access to. However, a user who belongs to the admin role needs to run the ’SET ROLE’ command before getting the privileges of the admin role, as this role is not in current roles by default.
Role names are case insensitive. ie, “marketing” and “MarkEting” refer to same role.
User names are case sensitive. This is because, unlike role names, user names are not managed within hive.
Role management commands
CREATE ROLE <rolename>;
Creates a new role. Only admin role has privilege for this.
The role names ALL, DEFAULT and NONE are reserved.
DROP ROLE <rolename>;
Drops the given role. Only admin role has privilege for this.
SHOW CURRENT ROLES;
Shows the list of current roles. All actions of the user are authorized by looking at the privileges of the user and all current roles of the user.
The default current roles has all roles for the user except for the admin role (even if the user belongs to the admin role as well).
Any user can run this command.
SET ROLE (<rolename>|ALL)
If a <rolename> is specified, then that role becomes the only role in current roles.
Setting role name to ALL refereshes the list of current roles (in case new roles were granted to the user) and sets them to default list of roles.
If a role the user does not belong to is specified as the <rolename>, it will result in an error.
SHOW ROLES
List all currently existing roles.
Only admin role has privilege for this.
GRANT ROLE <role_name> [, <role_name>] ...
TO principal_specification [, principal_specification] ...
[ WITH ADMIN OPTION ]
principal_specification
: USER user
| ROLE role
Grant one or more roles to other roles or users.
If “WITH ADMIN OPTION” is specified, then the user gets privileges to grant the role to other users/roles.
If the grant statement ends up creating a cycling relationship between roles, the command will fail with an error.
REVOKE ROLE <role_name> [, <role_name>] ...
FROM principal_specification [, principal_specification] ...
principal_specification
: USER user
| ROLE role
Revokes the membership of the roles from the user/roles in the FROM clause.
Currently revoking just the ADMIN OPTION is not possible. You need to revoke the principal’s role grant, and then grant the role to principal without admin option.
SHOW ROLE GRANT (USER|ROLE) <principalname>
Where principal name is the name of a user or role.
Lists all roles the given user or role has been granted.
Currently any user can run this command. But this is likely to change in future to allow users to see only their own role grants, and additional privileges would be needed to see role grants of other users.
0: jdbc:hive2://localhost:10000> GRANT role1 TO USER user1 ;No rows affected (0.058 seconds)0: jdbc:hive2://localhost:10000> SHOW ROLE GRANT USER user1+---------+---------------+----------------+----------+| role | grant_option | grant_time | grantor |+---------+---------------+----------------+----------+| public | false | 0 | || role1 | false | 1398284083000 | uadmin |+---------+---------------+----------------+----------+
SHOW PRINCIPALS <rolename>
Lists all roles and users who belong to this role.
Only admin role has privilege for this.0: jdbc:hive2://localhost:10000> SHOW PRINCIPALS role1;+-----------------+-----------------+---------------+----------+---------------+----------------+| principal_name | principal_type | grant_option | grantor | grantor_type | grant_time |+-----------------+-----------------+---------------+----------+---------------+----------------+| role2 | ROLE | false | uadmin | USER | 1398285926000 || role3 | ROLE | true | uadmin | USER | 1398285946000 || user1 | USER | false | uadmin | USER | 1398285977000 |+-----------------+-----------------+---------------+----------+---------------+----------------+
Managing object privileges
GRANT
priv_type [, priv_type ] ...
...
SHOW GRANT [principal_name] ON (ALL| ([TABLE] <table_or_view_name>)
Currently any user can run this command. But this is likely to change in future to allow users to see only their own privileges, and additional privileges would be needed to see privileges of other users.
Examples:
Find out privileges user ashutosh has on table hivejiratable.0: jdbc:hive2://localhost:10000> show grant user ashutosh on table hivejiratable;+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+| default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas || default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas |+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
Find out privileges user ashutosh has on all objects.0: jdbc:hive2://localhost:10000> show grant user ashutosh on all; +-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |+-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+| default | hivecontributors | | | ashutosh | USER | DELETE | false | 1398303576000 | thejas || default | hivecontributors | | | ashutosh | USER | INSERT | false | 1398303576000 | thejas || default | hivecontributors | | | ashutosh | USER | SELECT | false | 1398303576000 | thejas || default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas || default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas |+-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
Find out the privileges all users have on table hivejiratable.0: jdbc:hive2://localhost:10000> show grant on table hivejiratable;+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+| default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas || default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas || default | hivejiratable | | | navis | USER | INSERT | false | 1398303650000 | thejas || default | hivejiratable | | | navis | USER | SELECT | false | 1398303650000 | thejas || default | hivejiratable | | | public | ROLE | SELECT | false | 1398303481000 | thejas || default | hivejiratable | | | thejas | USER | DELETE | true | 1398303380000 | thejas || default | hivejiratable | | | thejas | USER | INSERT | true | 1398303380000 | thejas || default | hivejiratable | | | thejas | USER | SELECT | true | 1398303380000 | thejas || default | hivejiratable | | | thejas | USER | UPDATE | true | 1398303380000 | thejas |+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
Configuration
Set the following to hive-site.xml
hive.server2.enable.doAs to false.
hive.users.in.admin.role to the list of comma separated users who need to be added to admin role
...