...
To provide security for metadata, release 0.10 adds authorization capability to the metastore. (See HIVE-3705.) Metastore
Storage Based Authorization
When metastore server security is configured to use Storage Based Authorization, it uses the file system permissions for folders corresponding to the different metadata objects as the source of truth for the authorization policy. Use of Storage Based Authorization in metastore is recommended.
See details in the Storage Based Authorization document based on access rights to the underlying storage system, not on privileges granted to users, groups, and roles.
Configuration Parameters for Metastore Security
...
hive.metastore.pre.event.listeners
Set toorg.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
.
This turns on metastore-side security.hive.security.metastore.authorization.manager
Set toorg.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider
.
This tells Hive which metastore-side authorization provider to use. TheDefaultHiveMetastoreAuthorizationProvider
implements default setting usesDefaultHiveMetastoreAuthorizationProvider, which
implements the standard Hive grant/revoke model. To use an HDFS permission-based model (recommended) to do your authorization, you can useorg.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider
instead.Info title Version The
StorageBasedAuthorizationProvider
was introduced in Hive 0.10.0, running on the metastore side only (HIVE-3705). Starting in Hive 0.12.0 it also runs on the client side (HIVE-5048 and HIVE-5402).hive.security.metastore.authenticator.manager
Set toorg.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
.
...