HDFS ACL permissions model
As administrator, you must understand the permissions model supported in HDP 3.0 and later. If you do not use Ranger for security, you can add users to an HDFS access control list to permit access to the Hive warehouse for running DML queries.
Hive 3 supports the HDFS access control model instead of the past Hive permission inheritance
based on the hive.warehouse.subdir.inherit.perms
parameter setting. In Hive 3, a
directory inherits permissions from the Default ACL.
Managing YARN queues
- User submits the query through HiveServer (HS2) to the YARN queue
- Tez app starts for the user
- Access to the YARN queue is checked for this user.
As administrator, you can allocate resources to different users.
Configure services for this behavior as described below:
Ranger
When you enable Ranger, you disable user impersonation (doAs=false
). This
is the Hive default and Ranger is the recommended security model. With no impersonation,
HiveServer authorizes only the hive
user to access Hive tables and YARN
queues unless you also configure the following parameter:
hive.server2.tez.queue.access.check=true
SBA
As administrator, if you do not use the recommended Ranger security, you enable the
doAs
impersonation parameter to use SBA: (hive.server2.enable.doAs=true
)
This action also causes HiveServer to authorize the original user who issued the query to
access YARN queues while running the Tez application as the hive
user.