Configure Hive Metastore to use Storage-Based Authorization

Describes how to enable storage-based authorization (SBA) for the Hive Metastore server.

Storage-based authorization controls access to the data using HDFS permissions (HDFS ACL). To control access to metadata objects, such as databases, tables, and partitions, it checks if you have permission on the corresponding directories on the file system.

To enable storage-based authorization for the Hive Metastore server, set these properties in hive-site.xml:

Property	Value	Description
`hive.metastore.pre.event.listeners`	`org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener*`	Turns on Metastore security. A MetaStorePreEventListener that performs authorization or authentication checks on the metastore side. Note that this can only perform authorizaiton checks on defined metastore PreEventContexts, such as the adding, dropping, and altering of databases, tables, and partitions.
`hive.security.metastore.authorization.manager`	`org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider*` Note: The `StorageBasedAuthorizationProvider` setting first appeared on the Metastore side only in Hive 0.10.0. With Hive 0.12.0 and later, it can also run on the client side. Starting from EEP 6.1.0, `hive.security.metastore.authorization.manager` is set to the `StorageBasedAuthorizationProvider` value by default.	`StorageBasedAuthorizationProvider` - Specifies use of an HDFS permission-based model (recommended) for the Metastore-side authorization provider. `DefaultHiveMetastoreAuthorizationProvider` - This default implements the standard Hive grant/revoke model.
`hive.security.metastore.authenticator.manager`	`org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator` (default)	Authentication manager class name to be used in the metastore for authentication. The user-defined authenticator should implement the `org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider` interface.
`hive.security.metastore.authorization.auth.reads`	true (default)	Default value (does not appear in hive-site.xml file). Set to `true`, Metastore authorization also performs a read authorization check (first supported in Hive 0.14.0).
`hive.server2.enable.doAs`	`true` (default)	Use for protected access through HiveServer2.

* In secure clusters, the Data Fabric "secure-by-default" configuration implicitly configures these properties in the hive-site.xml file.

SBA configuration example in hive-site.xml File

<property>
    <name>hive.security.metastore.authorization.manager</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
 </property>

<property>
    <name>hive.security.metastore.authenticator.manager</name>
    <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
    </value> 
</property>

<property>
    <name>hive.security.metastore.authorization.auth.reads</name>
    <value>true</value> 
</property>

<property>
    <name>hive.server2.enable.doAs</name>
    <value>true</value> 
</property>

<property>
    <name>hive.metastore.pre.event.listeners</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value> 
</property>

If you use storage-based authorization, you still need to use one of the following authorization models to protect actions within the HiveServer2:

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0