Securing Hive metastore

Cloudera recommends using Apache Ranger policies to secure Hive data in Hive metastore. You need to perform a few actions to prevent users from bypassing HiveServer to access the Hive metastore and the Hive metastore database.

  1. Add a firewall rule on the metastore service host to allow access to the metastore port only from the HiveServer2 host. You can do this using iptables.
  2. Grant access to the metastore database only from the metastore service host.
    For example, in MySQL: GRANT ALL PRIVILEGES ON metastore.* TO 'hive'@'metastorehost'; where metastorehost is the host where the metastore service is running.
  3. Make sure users who are not administrators cannot log into the HiveServer host.