7. Configuring Storage-based Authorization

Set the following configuration properties in hive-site.xml to enable storage-based authorization:

Configuration Property

Description

hive.security.authorization.enabled

Enables or disables Hive client authorization. This property must be set to false in hive-site.xml, but set to true for HiveServer2. Administrators can do this in one of two ways: as a command-line option when starting HiveServer2 or in a separate hiveserver2-site.xml configuration file.

hive.security.authorization.manager

The class name of the Hive client authorization manager. Specify the following value for storage-based authorization: org.apache.hadoop.hive.ql.security. authorization.StorageBasedAuthorizationProvider.

hive.server2.enable.doAs

Allows Hive queries to be run by the user who submits the query rather than the Hive user. Must be set to true for storage-based access.

hive.metastore.pre.event.listeners

Enables Metastore security. Specify the following value: org.apache.hadoop.ql.security .authorization.AuthorizationPre EventListener.

hive.security.metastore.authorization.manager

The class name of the Hive Metastore authorization manager. Specify the following value for storage-based authorization: org.apache.hadoop.hive.ql.security. authorization. StorageBasedAuthorizationProvider.

These properties appear in the following snippet of hive-site.xml:

<property>
   <name>hive.security.authorization.enabled</name>
   <value>false</value>
</property>

<property>
   <name>hive.security.authorization.manager</name>
   <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
</property>

<property>
   <name>hive.server2.enable.doAs</name>
   <value>true</value>
</property>

<property>
   <name>hive.metastore.pre.event.listeners</name>
   <name>org.apache.hadoop.ql.security.authorization.AuthorizationPreEventListener</name>
</property>

<property>
   <name>hive.security.metastore.authorization.manager</name>
   <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
</property>

Administrators can use either of the following methods to create new tables and databases with appropriate storage-based permissions:

  • Use the Hive CLI to create the table or database, then manually modify the POSIX permissions using the HDFS file system commands.

  • Use the HCatalog CLI

The HCatalog command line tool uses the same syntax as Hive, but creates the table or database with a corresponding directory owned by the user creating it. Assigning a group permission is also supported. However, there are known issues with the HCatalog CLI:

  • Some metadata operations do not check for authorization. See Apache JIRA HIVE_3009 for more information.

  • Hive currently performs authorization checks on the client, rather than the server. This allows malicious users to circumvent these checks.

  • DDL statements for managing permissions have no effect on storage-based authorization, but they do not return error messages. See Apache JIRA HIVE-3010 for more information.