SQL Standard-Based Authorization with GRANT
and REVOKE
SQL Statements
Secure SQL standard-based authorization using the GRANT
and REVOKE
SQL statements is supported in
Hive 0.13 and later. Hive provides three authorization models: SQL standard-based authorization, storage-based authorization, and default Hive authorization. In addition, Ranger provides centralized management of authorization for all HDP components. Use the following procedure to manually enable standard SQL authorization:
Note | |
---|---|
This procedure is unnecessary if your Hive administrator installed Hive using Ambari. |
Set the following configuration parameters in the
hive-site.xml
file:Table 2.5. Configuration Parameters for Standard SQL Authorization
Configuration Parameter
Required Value
hive.server2.enable.doAs
false
hive.users.in.admin.role
Comma-separated list of users granted the administrator role.
Start HiveServer2 with the following command-line options:
Table 2.6. HiveServer2 Command-Line Options
Command-Line Option Required Value -hiveconf hive.security.authorization.manager
org.apache.hadoop.hive.ql.security. authorization. MetaStoreAuthzAPIAuthorizerEmbedOnly
-hiveconf hive.security.authorization.enabled
true
-hiveconf hive.security.authenticator.manager
org.apache.hadoop.hive.ql.security. SessionStateUserAuthenticator
-hiveconf hive.metastore.uris
''
(a space inside single quotation marks)
Note | |
---|---|
Administrators must also specify a storage-based authorization manager for Hadoop clusters that also
use storage-based authorization. The hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider, org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly |