Accessing StorageHandler and other external tables

Before creating secure external tables based on a StorageHandler, you must configure Hive impersonation. You learn which permissions Hive checks before you attempt to create a secure external table. You understand the policies necessary for accessing HBase from Hive.

When you create a managed versus an external table, including external tables based on a StorageHandler, Hive checks permissions described in the following table:

Table 1.
Table Type Example Permissions Checked
Managed Create table foo(i int); Does the user have write and execute permission to the table storage location?
External Create table foo_ext(i int) stored by 'org.apache.hadoop.hive.hbase.HBaseStorageHandler' with serdeproperties ("hbase.columns.mapping"="cf:string", "hbase.table.name"="hbase_table_0”); Does the user have write and execute permission to the table storage location and does the user have read access to the external table, hbase_table_0, for example?

In Hive 3, you follow recommendations to turn off Hive impersonation (hive.server2.enable.doAs property = false). As shown in the following diagram, any Hive user who can create a table, can also read the data of any external table.

When doas=true, HBase policies restrict access to HBase. When doAs=true, HBase recognizes the end-user who logged into Hive, You need to create Ranger policies for your end users instead of user hive to access the HBase service.

When doas=false, any Hive user with CREATE/DROP/SELECT table access in Hive can read, write, or delete any HBase table using the HBaseStorageHandler. When doas=false, HBase would see user hive is accessing the hbase tables. You need to create one policy in Ranger for HBase that allows user hive to read data from any table in HBase. From Hive, any user can read data from any table in Hbase.

As a Hive 3 user, you must set doas=false to use Ranger. Ranger is the supported authorization model in CDP. You must set up Ranger to secure external tables, such as the HBaseStorageHandler table, as described in the next topic.