You need to set parameters in hive-site.xml to enable
storage-based authorization (SBA).
Hive performs authorization checks on the client, rather than the server when you use
SBA. This allows malicious users to circumvent these checks. Some metadata operations do
not check for authorization. See Apache JIRA HIVE-3009. DDL statements for managing
permissions have no effect on storage-based authorization, but they do not return error
messages (HIVE-3010).
- You obtained admin role privileges.
-
Set authorization configuration parameters in the
hive-site.xml to enable storage-based
authorization.
<property>
<name>hive.security.authorization.enabled</name>
<value>false</value>
</property>
<property>
<name>hive.security.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
</property>
<property>
<name>hive.server2.enable.doAs</name>
<value>true</value>
</property>
<property>
<name>hive.metastore.pre.event.listeners</name>
<name>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</name>
</property>
<property>
<name>hive.security.metastore.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
</property>
-
Determine the required permissions of the tables and databases in your
environment.
-
Create a table or database in the Hive, then manually modify the
POSIX permissions using the HDFS file system commands.