Accessing StorageHandler and other external tables
Before creating secure external tables based on a StorageHandler, you must configure Hive impersonation. You learn which permissions Hive checks before you attempt to create a secure external table. You understand the policies necessary for accessing HBase from Hive.
When you create a managed versus an external table, including external tables based on a StorageHandler, Hive checks permissions described in the following table:
|Create table foo(i int);
|Does the user have write and execute permission to the table storage location?
|Create table foo_ext(i int) stored by 'org.apache.hadoop.hive.hbase.HBaseStorageHandler' with serdeproperties ("hbase.columns.mapping"="cf:string", "hbase.table.name"="hbase_table_0”);
|Does the user have write and execute permission to the table storage location and does the user have read access to the external table, hbase_table_0, for example?
In Hive 3, you follow recommendations to turn off Hive impersonation (hive.server2.enable.doAs property = false). As shown in the following diagram, any Hive user who can create a table, can also read the data of any external table.
doas=true, HBase policies restrict access to HBase. When
doAs=true, HBase recognizes the end-user who logged into Hive. To
access the HBase service, you need to create Ranger policies for end user access,
instead of just user
hive access to Hive.
doas=false, any Hive user with CREATE/DROP/SELECT table
access in Hive can read, write, or delete any HBase table using the HBaseStorageHandler.
doas=false, HBase see suser
hive is accessing the
HBase tables. You need to create one policy in Ranger for HBase that allows user
hive to read data from any table in HBase. From Hive, any user can
read data from any table in HBase.
As a Hive 3 user, you must set doas=false to use Ranger. Ranger is the supported authorization model in CDP. You must set up Ranger to secure external tables, such as the HBaseStorageHandler table, as described in the next topic.