Cloudera recommends using Apache Ranger policies to secure Hive data in Hive
metastore. You need to perform a few actions to prevent users from bypassing HiveServer to
access the Hive metastore and the Hive metastore database.
-
Add a firewall rule on the metastore service host to allow access to the metastore port only
from the HiveServer2 host. You can do this using iptables.
-
Grant access to the metastore database only from the metastore service host.
For example, in MySQL:
GRANT ALL PRIVILEGES ON metastore.* TO 'hive'@'metastorehost';
where metastorehost is the host where the metastore service is running.
-
Make sure users who are not administrators cannot log into the HiveServer host.