Storage-Based Authorization
As the name implies, storage-based authorization relies on the authorization provided
by the storage layer. In the case of an HDP cluster, the storage layer is HDFS, which
provides both POSIX and ACL permissions. Hive is one of many HDP components that share
storage on HDFS. HCatalog provides all of these components with a single consistent view
metadata, and this is why storage-based authorization is enabled in the Hive Metastore
server. By enabling this model on the Hive Metastore Server, Hadoop administrators can
provide consistent data and metadata authorization. The model controls access to metadata
and checks permissions on the corresponding directories of the HDFS file system. Traditional
POSIX permissions for the HDFS directories where tables reside determine access to those
tables. For example, to alter table metadata for a table stored in HDFS at /user/
hive/warehouse/mytable
, a user must have WRITE permissions on that directory.
However, this authorization model doesn't support column-level security.
In addition to the traditional POSIX permissions model, HDFS also provides ACLs, or access control lists, as described in ACLs on HDFS. An ACL consists of a set of ACL entries, and each entry names a specific user or group and grants or denies read, write, and execute permissions for the specified user or group. These ACLs are also based on POSIX specifications, and they are compatible with the traditional POSIX permissions model.
HDFS ACL permissions provide administrators with authentication control over databases, tables, and table partitions on the HDFS file system. For example, an administrator can create a role with a set of grants on specific HDFS tables, then grant the role to a group of users. Roles allow administrators to easily reuse permission grants. Hortonworks recommends relying on POSIX permissions and a small number of ACLs to augment the POSIX permissions for exceptions and edge cases.
Note | |
---|---|
A file with an ACL incurs additional memory cost to the NameNode due to the alternate algorithm used for permission checks on such files. |