4. Configuring SQL Standard-Based Authorization

Use the following procedure to configure SQL standard-based authorization for Hive:

  • Set the following configuration properties in hive-site.xml to enable SQL standard-based authorization.

    • hive.server2.enable.doAs

      Allows Hive queries to be run by the user who submits the query, rather than by the hive user. Must be set to FALSE for SQL standard-based authorization.

    • hive.users.in.admin.role

      Comma-separated list of users assigned to the ADMIN role.

  • Hive administrator must grant herself the ADMIN privilege:

    GRANT admin TO USER hiveadmin;

  • Administrators must start HiveServer2 with the following command-line options:

    Command line option

    Required value

    hive.security.authorization.manager

    org.apache.hadoop.hive.ql.security.authorization.plugin.sql

    hive.security.authorization.enabled

    true

    hive.security.authenticator.manager

    org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator

    hive.metastore.uris

    "" (Quotation marks surrounding a single empty space)

    These properties appear in the following snippet of hive-site.xml:

    <property>
     <name>hive.security.authorization.manager</name> 
     <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sql</ value>
    </property>
    
    <property>
     <name>hive.security.authorization.enabled</name>
     <value>true</value>
    </property>
    
    <property>
     <name>hive.security.authenticator.manager</name>
     <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
    </property>
    
    <property>
     <name>hive.metastore.uris</name>
     <value>""</value>
    </property>