Configuring Storage-based Authorization
Set the following configuration properties in hive-site.xml to enable storage-based authorization:
Configuration Property | Description |
---|---|
| Enables or disables Hive client authorization done as part of query compilation. This property must be set to false in hive-site.xml for StorageBasedAuthorization, as it is already enabled via checks on metastore API calls. |
| Allows Hive queries to be run by the user who submits the query rather than the Hive user. Must be set to true for storage-based access. |
| Enables Metastore security. Specify the following value: org.apache.hadoop.hive.ql.security .authorization.AuthorizationPre EventListener. |
| The class name of the Hive Metastore authorization manager. Specify the following value for storage-based authorization: org.apache.hadoop.hive.ql.security. authorization. StorageBasedAuthorizationProvider. |
These properties appear in the following snippet of hive-site.xml:
<property> <name>hive.security.authorization.enabled</name> <value>false</value> </property> <property> <name>hive.server2.enable.doAs</name> <value>true</value> </property> <property> <name>hive.metastore.pre.event.listeners</name> <name>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</name> </property> <property> <name>hive.security.metastore.authorization.manager</name> <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value> </property>
Administrators can use either of the following methods to create new tables and databases with appropriate storage-based permissions:
Use the Hive CLI to create the table or database, then manually modify the POSIX permissions using the HDFS file system commands.
Use the HCatalog CLI
The HCatalog command line tool uses the same syntax as Hive, but creates the table or database with a corresponding directory owned by the user creating it. Assigning a group permission is also supported. However, there are known issues with the HCatalog CLI:
Some metadata operations do not check for authorization. See Apache JIRA HIVE_3009 for more information.
Hive currently performs authorization checks on the client, rather than the server. This allows malicious users to circumvent these checks.
DDL statements for managing permissions have no effect on storage-based authorization, but they do not return error messages. See Apache JIRA HIVE-3010 for more information.