Accessing StorageHandler and other external tables
Before creating secure external tables based on a StorageHandler, you must configure Hive impersonation. You learn which permissions Hive checks before you attempt to create a secure external table. You understand the policies necessary for accessing HBase from Hive.
When you create a managed versus an external table, including external tables based on a StorageHandler, Hive checks permissions described in the following table:
|Table Type||Example||Permissions Checked|
|Managed||Create table foo(i int);||Does the user have write and execute permission to the table storage location?|
|External||Create table foo_ext(i int) stored by 'org.apache.hadoop.hive.hbase.HBaseStorageHandler' with serdeproperties ("hbase.columns.mapping"="cf:string", "hbase.table.name"="hbase_table_0”);||Does the user have write and execute permission to the table storage location and does the user have read access to the external table, hbase_table_0, for example?|
In Hive 3, you follow recommendations to turn off Hive impersonation (hive.server2.enable.doAs property = false). As shown in the following diagram, any Hive user who can create a table, can also read the data of any external table.
doas=true, HBase policies restrict access to HBase. When
doAs=true, HBase recognizes the end-user who logged into Hive, You
need to create Ranger policies for your end users instead of user
to access the HBase service.
doas=false, any Hive user with CREATE/DROP/SELECT table
access in Hive can read, write, or delete any HBase table using the HBaseStorageHandler.
doas=false, HBase would see user
accessing the hbase tables. You need to create one policy in Ranger for HBase that
hive to read data from any table in HBase. From Hive, any
user can read data from any table in Hbase.
As a Hive 3 user, you must set doas=false to use Ranger. Ranger is the supported authorization model in CDP. You must set up Ranger to secure external tables, such as the HBaseStorageHandler table, as described in the next topic.