1. New Feature: Authorization with Grant And Revoke

Hive 0.13 provides secure authorization using the GRANT and REVOKE SQL statements. Use the following procedure to manually enable standard SQL authorization:

	Note
	This procedure is unnecessary if your Hive administrator installed Hive using Ambari.

Set the following configuration parameters in hive-site.xml:

Table 3.1. Configuration Parameters for Standard SQL Authorization
Configuration Parameter Required Value
hive.server2.enable.doAs false
hive.users.in.admin.role Comma-separated list of users granted the administrator role.

Configuration Parameter	Required Value
`hive.server2.enable.doAs`	`false`
`hive.users.in.admin.role`	Comma-separated list of users granted the administrator role.

Start HiveServer2 with the following command-line options:

Table 3.2. HiveServer2 Command-Line Options

Command-Line Option	Required Value
`-hiveconf hive.security.authorization.manager`	`org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly`
`-hiveconf hive.security.authorization.enabled`	`true`
`-hiveconf hive.security.authenticator.manager`	`org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator`
`-hiveconf hive.metastore.uris`	`' '` (a space inside single quotation marks)

	Note
	Hive continues to provide storage-based authorization. See Hive Authorization Without `GRANT/REVOKE` for more information.

Note

Administrators must also specify a storage-based authorization manger for Hadoop clusters that also use storage-based authorization. The hive.security.authorization.manager configuration property allows multiple authorization managers in comma-delimited format, so the correct value in this case is hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly.

Legal notices