In this use case, Hive contains a partitioned table of sales data. The partition key is "country". Hive persists partitioned tables using a separate subdirectory for each distinct value of the partition key, so the file system structure in HDFS looks like this:
user `-- hive `-- warehouse `-- sales |-- country=CN |-- country=GB `-- country=US
A "salesadmin" group is the owning group for all of these files. Members of this group have Read and Write access to all files. Separate country-specific groups can run Hive queries that only read data for a specific country, e.g., "sales_CN", "sales_GB", and "sales_US". These groups do not have Write access.
This use case can be addressed by setting an access ACL on each subdirectory containing an owning group entry and a named group entry:
country=CN group::rwx group:sales_CN:r-x country=GB group::rwx group:sales_GB:r-x country=US group::rwx group:sales_US:r-x
Note that the functionality of the owning group ACL entry (the group entry with no name) is equivalent to setting Permission Bits.
Important | |
---|---|
Storage-based authorization in Hive does not currently consider the ACL permissions in HDFS. Rather, it verifies access using the traditional POSIX permissions model. |