Configuring Storage-Based Authorization
Prerequisite
You must have admin role privileges.
Steps
Set the following configuration properties in the
hive-site.xmlfile to enable storage-based authorization:Configuration Property
Description
hive.security.authorization.enabledEnables or disables Hive client authorization done as part of query compilation. This property must be set to
falsein thehive-site.xmlfile for storage-based authorization, as it is already enabled via checks on metastore API calls.hive.server2.enable.doAsAllows Hive queries to be run by the user who submits the query rather than the Hive user. Must be set to
truefor storage-based access.hive.metastore.pre.event.listenersEnables Metastore security. Specify the following value:
org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener.hive.security.metastore.authorization.managerThe class name of the Hive Metastore authorization manager. Specify the following value for storage-based authorization:
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.These properties appear in the following snippet of the
hive-site.xmlfile:<property> <name>hive.security.authorization.enabled</name> <value>false</value> </property> <property> <name>hive.security.authorization.manager</name> <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value> </property> <property> <name>hive.server2.enable.doAs</name> <value>true</value> </property> <property> <name>hive.metastore.pre.event.listeners</name> <name>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</name> </property> <property> <name>hive.security.metastore.authorization.manager</name> <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value> </property>
2. Determine the required permissions of the tables and databases in your environment. See the "Permissions for Apache Hive Operations" section for further information.
3. Use either of the following methods to create new tables and databases with appropriate storage-based permissions:
Create the table or database in the Hive CLI, then manually modify the POSIX permissions using the HDFS file system commands.
Use the HCatalog CLI
The HCatalog command line tool uses the same syntax as Hive, but creates the table or database with a corresponding directory owned by the user creating it. Assigning a group permission is also supported. However, there are known issues with the HCatalog CLI:
Some metadata operations do not check for authorization. See Apache JIRA HIVE_3009 for more information.
Hive performs authorization checks on the client, rather than the server. This allows malicious users to circumvent these checks.
DDL statements for managing permissions have no effect on storage-based authorization, but they do not return error messages. See Apache JIRA HIVE-3010 for more information.