Configure storage-based authorization

You need to set parameters to enable storage-based authorization (SBA).

Hive performs authorization checks on the client, rather than the server when you use SBA. This allows malicious users to circumvent these checks. Some metadata operations do not check for authorization. See Apache JIRA HIVE-3009. DDL statements for managing permissions have no effect on storage-based authorization, but they do not return error messages (HIVE-3010).
  • You obtained admin role privileges.
  1. Set authorization configuration parameters to enable storage-based authorization using the Cloudera Manager Safety Valve feature (see link below).
    <property>
       <name>hive.security.authorization.enabled</name>
       <value>false</value>
    </property>
    
    <property>
       <name>hive.security.authorization.manager</name>
       <value>org.apache.hadoop.hive.ql.security.authorization.\
    StorageBasedAuthorizationProvider</value>
    </property>
    
    <property>
       <name>hive.server2.enable.doAs</name>
       <value>true</value>
    </property>
    
    <property>
       <name>hive.metastore.pre.event.listeners</name>
       <name>org.apache.hadoop.hive.ql.security.authorization.\
    AuthorizationPreEventListener</name>
    </property>
    
    <property>
       <name>hive.security.metastore.authorization.manager</name>
       <value>org.apache.hadoop.hive.ql.security.authorization.\
    StorageBasedAuthorizationProvider</value>
    </property>
  2. Determine the required permissions of the tables and databases in your environment.
  3. Create a table or database in the Hive, then manually modify the POSIX permissions using the HDFS file system commands.