Data Access
Also available as:
PDF
loading table of contents...

SQL Standard-Based Authorization with GRANT and REVOKE SQL Statements

Secure SQL standard-based authorization using the GRANT and REVOKE SQL statements is supported in Hive 0.13 and later. Hive provides three authorization models: SQL standard-based authorization, storage-based authorization, and default Hive authorization. In addition, Ranger provides centralized management of authorization for all HDP components. Use the following procedure to manually enable standard SQL authorization:

[Note]Note

This procedure is unnecessary if your Hive administrator installed Hive using Ambari.

  1. Set the following configuration parameters in the hive-site.xml file:

    Table 2.5. Configuration Parameters for Standard SQL Authorization

    Configuration Parameter

    Required Value

    hive.server2.enable.doAs

    false

    hive.users.in.admin.role

    Comma-separated list of users granted the administrator role.


  2. Start HiveServer2 with the following command-line options:

    Table 2.6. HiveServer2 Command-Line Options

    Command-Line OptionRequired Value

    -hiveconf hive.security.authorization.manager

    org.apache.hadoop.hive.ql.security. authorization. MetaStoreAuthzAPIAuthorizerEmbedOnly

    -hiveconf hive.security.authorization.enabled

    true

    -hiveconf hive.security.authenticator.manager

    org.apache.hadoop.hive.ql.security. SessionStateUserAuthenticator

    -hiveconf hive.metastore.uris

    ''(a space inside single quotation marks)


[Note]Note

Administrators must also specify a storage-based authorization manager for Hadoop clusters that also use storage-based authorization. The hive.security.authorization.manager configuration property allows multiple authorization managers in comma-delimited format, so the correct value in this case is:

hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,

org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly