Securing Apache Hive
Also available as:
PDF

Configure storage-based authorization

You need to set parameters in hive-site.xml to enable storage-based authorization (SBA).

Hive performs authorization checks on the client, rather than the server when you use SBA. This allows malicious users to circumvent these checks. Some metadata operations do not check for authorization. See Apache JIRA HIVE-3009. DDL statements for managing permissions have no effect on storage-based authorization, but they do not return error messages (HIVE-3010).
  • You obtained admin role privileges.
  1. Set authorization configuration parameters in the hive-site.xml to enable storage-based authorization.
    <property>
       <name>hive.security.authorization.enabled</name>
       <value>false</value>
    </property>
    
    <property>
       <name>hive.security.authorization.manager</name>
       <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
    </property>
    
    <property>
       <name>hive.server2.enable.doAs</name>
       <value>true</value>
    </property>
    
    <property>
       <name>hive.metastore.pre.event.listeners</name>
       <name>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</name>
    </property>
    
    <property>
       <name>hive.security.metastore.authorization.manager</name>
       <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
    </property>
  2. Determine the required permissions of the tables and databases in your environment.
  3. Create a table or database in the Hive, then manually modify the POSIX permissions using the HDFS file system commands.