You need to set parameters to enable storage-based authorization (SBA).
Hive performs authorization checks on the client, rather than the server when you use
SBA. This allows malicious users to circumvent these checks. Some metadata operations do
not check for authorization. See Apache JIRA HIVE-3009. DDL statements for managing
permissions have no effect on storage-based authorization, but they do not return error
messages (HIVE-3010).
- You obtained admin role privileges.
-
Set authorization configuration parameters to enable storage-based authorization
using the Cloudera Manager Safety Valve feature (see link below).
<property>
<name>hive.security.authorization.enabled</name>
<value>false</value>
</property>
<property>
<name>hive.security.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.\
StorageBasedAuthorizationProvider</value>
</property>
<property>
<name>hive.server2.enable.doAs</name>
<value>true</value>
</property>
<property>
<name>hive.metastore.pre.event.listeners</name>
<name>org.apache.hadoop.hive.ql.security.authorization.\
AuthorizationPreEventListener</name>
</property>
<property>
<name>hive.security.metastore.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.\
StorageBasedAuthorizationProvider</value>
</property>
-
Determine the required permissions of the tables and databases in your
environment.
-
Create a table or database in the Hive, then manually modify the
POSIX permissions using the HDFS file system commands.
