Configure Hive Metastore to use Storage-Based Authorization
Describes how to enable storage-based authorization (SBA) for the Hive Metastore server.
Storage-based authorization controls access to the data using HDFS permissions (HDFS ACL). To control access to metadata objects, such as databases, tables, and partitions, it checks if you have permission on the corresponding directories on the file system.
To enable storage-based authorization for the Hive Metastore server, set these properties in
hive-site.xml
:
Property | Value | Description |
---|---|---|
hive.metastore.pre.event.listeners |
org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener* |
Turns on Metastore security. A MetaStorePreEventListener that performs authorization or authentication checks on the metastore side. Note that this can only perform authorizaiton checks on defined metastore PreEventContexts, such as the adding, dropping, and altering of databases, tables, and partitions. |
hive.security.metastore.authorization.manager |
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider*
Note:
|
StorageBasedAuthorizationProvider - Specifies use of an HDFS
permission-based model (recommended) for the Metastore-side authorization provider.
DefaultHiveMetastoreAuthorizationProvider - This default implements
the standard Hive grant/revoke model. |
hive.security.metastore.authenticator.manager |
org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
(default) |
Authentication manager class name to be used in the metastore for authentication.
The user-defined authenticator should implement the
org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider
interface. |
hive.security.metastore.authorization.auth.reads |
true (default) | Default value (does not appear in hive-site.xml file). Set
to true , Metastore authorization also performs a read authorization
check (first supported in Hive 0.14.0). |
hive.server2.enable.doAs |
true (default) |
Use for protected access through HiveServer2. |
* In secure clusters, the Data Fabric "secure-by-default"
configuration implicitly configures these properties in the hive-site.xml
file.
SBA configuration example in hive-site.xml File
<property>
<name>hive.security.metastore.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
</property>
<property>
<name>hive.security.metastore.authenticator.manager</name>
<value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
</value>
</property>
<property>
<name>hive.security.metastore.authorization.auth.reads</name>
<value>true</value>
</property>
<property>
<name>hive.server2.enable.doAs</name>
<value>true</value>
</property>
<property>
<name>hive.metastore.pre.event.listeners</name>
<value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>
</property>
If you use storage-based authorization, you still need to use one of the following
authorization models to protect actions within the HiveServer2: