Security
Also available as:
PDF
loading table of contents...
Create a Hive Policy

To add a new policy to an existing Hive service:

  1. On the Service Manager page, select an existing service under Hive.

    The List of Policies page appears.

  2. Click Add New Policy.

    The Create Policy page appears.

  3. Complete the Create Policy page as follows:

    Table 3.46. Policy Details

    FieldDescription
    Policy NameEnter an appropriate policy name. This name cannot be duplicated across the system. This field is mandatory. The policy is enabled by default.
    Database

    Type in the applicable database name. The autocomplete feature displays available databases based on the entered text.

    Include is selected by default to allow access. Select Exclude to deny access..

    Table

    To continue adding a table-based policy, keep Table selected.

    Type in the applicable table name. The autocomplete feature displays available tables based on the entered text.

    Include is selected by default to allow access. Select Exclude to deny access.

    Column

    Type in the applicable Hive column name. The autocomplete feature displays available columns based on the entered text.

    Include is selected by default to allow access. Select Exclude to deny access.

    If using the Ranger Hive plugin with HiveServer2 or HiveServer2-LLAP, where column or description permissions include all, you must set a parameter for Hive columns to display as expected: in Ambari>Hive, under ranger-hive-security.xml, enter: xasecure.hive.describetable.showcolumns.authorization.option=show-all. Failure to set this parameter will result in the error message HiveAccessControlException.

    URL

    The URL field in the Hive Policy is applicable only for cloud users.

    Specify the cloud storage path (for example s3a://dev-admin/demo/campaigns.txt) where the end-user permission is needed to read/write the Hive data from/to a cloud storage path.

    Permissions: READ operation on the URL permits the user to perform HiveServer2 operations which use S3 as data source for Hive tables. WRITE operation on the URL permits the user to perform HiveServer2 operations which write data to the specified S3 location.

    This feature is a Technical Preview: it is not ready for production deployment.

    Description

    (Optional) Describe the purpose of the policy.

    If using the Ranger Hive plugin with HiveServer2 or HiveServer2-LLAP, where column or description permissions include all, you must set a parameter for Hive columns to display as expected: in Ambari>Hive, under ranger-hive-security.xml, enter: xasecure.hive.describetable.showcolumns.authorization.option=show-all. Failure to set this parameter will result in the error message HiveAccessControlException.

    Hive Service Namehiveservice is used only in conjunction with Permissions=Service Admin. Enables a user who has Service Admin permission in Ranger to run the kill query API: kill query <queryID>. Supported value: *. (Required)
    Audit LoggingSpecify whether this policy is audited. (De-select to disable auditing).


    Table 3.47. Allow Conditions

    Label

    Description

    Select Group

    Specify a group to which this policy applies. To designate the group as an Administrator for the chosen resource, select the Delegate Admin check box. (Administrators can create child policies based on existing policies).

    The public group contains all users, so granting access to the public group grants access to all users.

    Select UserSpecify one or more users to which this policy applies. To designate the group as an Administrator for the chosen resource, select the Delegate Admin check box. (Administrators can create child policies based on existing policies).
    Permissions

    Add or edit permissions: Select, Update, Create, Drop, Alter, Index, Lock, All, ReplAdmin, Service Admin, Select/Deselect All.

    If using the Ranger Hive plugin with HiveServer2 or HiveServer2-LLAP, where column or description permissions include all, you must set a parameter for Hive columns to display as expected: in Ambari>Hive, under ranger-hive-security.xml, enter: xasecure.hive.describetable.showcolumns.authorization.option=show-all. Failure to set this parameter will result in the error message HiveAccessControlException.

    In order to execute repl dump, repl load, or repl status commands, you must set a parameter: in Ambari>Hive, under hive-site.xml, enter: hive.distcp.privileged.doAs=hive.

    Service Admin is used in conjunction with Hive Service Name and the kill query API: kill query <queryID>.

    Delegate AdminWhen Delegate Admin is selected, administrative privileges are assigned to the applicable users and groups. Delegated administrators can update and delete policies, and can also create child policies based on the original policy.


    For reference information, see: Wildcard Characters and {USER} Variable.

  4. You can use the Plus (+) symbol to add additional conditions. Conditions are evaluated in the order listed in the policy. The condition at the top of the list is applied first, then the second, then the third, and so on.

  5. Click Add.

[Note]Note

The Ranger Hive plugin only protects HiveServer2; Hive CLI is not supported by Ranger.