SQL Standard-based Authorization with GRANT And REVOKE SQL Statements
Secure SQL standard-based authorization using the GRANT and REVOKE SQL statements is supported in
Hive 0.13 and later. Hive provides three authorization models: SQL standard-based authorization, storage-based authorization, and default Hive authorization. In addition, Ranger provides centralized management of authorization for all HDP components. Use the following procedure to manually enable standard SQL authorization:
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
This procedure is unnecessary if your Hive administrator installed Hive using Ambari. |
Set the following configuration parameters in
hive-site.xml:Table 2.3. Configuration Parameters for Standard SQL Authorization
Configuration Parameter
Required Value
hive.server2.enable.doAsfalsehive.users.in.admin.roleComma-separated list of users granted the administrator role.
Start HiveServer2 with the following command-line options:
Table 2.4. HiveServer2 Command-Line Options
Command-Line Option Required Value -hiveconf hive.security.authorization.managerorg.apache.hadoop.hive.ql.security. authorization. MetaStoreAuthzAPIAuthorizerEmbedOnly-hiveconf hive.security.authorization.enabledtrue-hiveconf hive.security.authenticator.managerorg.apache.hadoop.hive.ql.security. SessionStateUserAuthenticator-hiveconf hive.metastore.uris''(a space inside single quotation marks)
| Note |
|---|---|
Administrators must also specify a storage-based authorization manager for Hadoop clusters that also
use storage-based authorization. The hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider, org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly |