KMS ACL Configuration for Hive
When Hive joins tables, it compares the encryption key strength for each table. For
this operation to succeed, you must configure the KMS ACL to allow the hive
user and group READ
access to the Hive key.
<property>
<name>key.acl.hive-key.READ</name>
<value>hive hive</value>
</property>
If you have restricted access to the GET_METADATA
operation, you must grant permission for it to the
hive
user or group:
<property>
<name>hadoop.kms.acl.GET_METADATA</name>
<value>hive hive</value>
</property>
If you have disabled HiveServer2 Impersonation, you must configure the KMS ACLs to grant
DECRYPT_EEK
permissions to the hive
user, as well as any
user accessing data in the Hive warehouse.
Cloudera recommends creating a group containing all Hive users, and
granting DECRYPT_EEK
access to that group.
For example, suppose user jdoe
(home directory
/user/jdoe
) is a Hive user and a member of the
group hive-users
. The encryption zone (EZ) key for
/user/jdoe
is named jdoe-key
, and
the EZ key for /user/hive
is
hive-key
. The following ACL example demonstrates
the required permissions:
<property>
<name>key.acl.hive-key.DECRYPT_EEK</name>
<value>hive hive-users</value>
</property>
<property>
<name>key.acl.jdoe-key.DECRYPT_EEK</name>
<value>jdoe,hive</value>
</property>
If you have enabled HiveServer2 impersonation, data is accessed by
the user submitting the query or job, and the user account
(jdoe
in this example) may still need to access
data in their home directory. In this scenario, the required
permissions are as follows:
<property>
<name>key.acl.hive-key.DECRYPT_EEK</name>
<value>nobody hive-users</value>
</property>
<property>
<name>key.acl.jdoe-key.DECRYPT_EEK</name>
<value>jdoe</value>
</property>