Configuring Fallback Hive Authorizer

You can enable protection of actions within the HiveServer2 instance by using the Fallback Authorizer.

About this task

Use the Fallback Authorizer when you want to protect access for Hive clients (JDBC/ODBC, Beeline CLI, and other HiveServer2 API users).
To enable Fallback Authorization for Hive clients, set these properties in the hive-site.xml file:
Property Value Description
hive.security.authorization.enabled true* Enable or disable the Hive client authorization.
hive.security.authorization.manager org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory* Class name for the Hive client authorization manager.
hive.users.in.admin.role mapr* Comma-separated list of users who need to be added to the admin role. Note that a user who belongs to the admin role needs to run the set role command before getting the privileges of the admin role, as the admin role is not in current roles by default.

* In secure clusters, the HPE Ezmeral Data Fabric "Secure-by-Default" configuration implicitly configures the Fallback Authorizer in the hive-site.xml file.

Fall Back Authorizer applies the following restrictions:
  • Allows set only for selected allowlist parameters.
  • Disallows dfs commands except for admin.
  • Disallows local file location in SQL statements except for admin.
  • Disallows ADD JAR, COMPILE, and TRANSFORM statements.
Fallback Authorization Configuration Example in hive-site.xml File
<property>
    <name>hive.security.authorization.enabled</name>
    <value>true</value>
</property>

<property>
    <name>hive.security.authorization.manager</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory</value>
</property>

<property>
    <name>hive.users.in.admin.role</name>
    <value>mapr</value>
 </property>