Configure Hive Metastore to use Storage-Based Authorization

Describes how to enable storage-based authorization (SBA) for the Hive Metastore server.

Storage-based authorization controls access to the data using HDFS permissions (HDFS ACL). To control access to metadata objects, such as databases, tables, and partitions, it checks if you have permission on the corresponding directories on the file system.

To enable storage-based authorization for the Hive Metastore server, set these properties in hive-site.xml:

Property Value Description
hive.metastore.pre.event.listeners org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener* Turns on Metastore security. A MetaStorePreEventListener that performs authorization or authentication checks on the metastore side. Note that this can only perform authorizaiton checks on defined metastore PreEventContexts, such as the adding, dropping, and altering of databases, tables, and partitions.
hive.security.metastore.authorization.manager org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider* Note:
  • The StorageBasedAuthorizationProvider setting first appeared on the Metastore side only in Hive 0.10.0. With Hive 0.12.0 and later, it can also run on the client side.
  • Starting from EEP 6.1.0, hive.security.metastore.authorization.manager is set to the StorageBasedAuthorizationProvider value by default.
StorageBasedAuthorizationProvider - Specifies use of an HDFS permission-based model (recommended) for the Metastore-side authorization provider. DefaultHiveMetastoreAuthorizationProvider - This default implements the standard Hive grant/revoke model.
hive.security.metastore.authenticator.manager org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator (default) Authentication manager class name to be used in the metastore for authentication. The user-defined authenticator should implement the org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider interface.
hive.security.metastore.authorization.auth.reads true (default) Default value (does not appear in hive-site.xml file). Set to true, Metastore authorization also performs a read authorization check (first supported in Hive 0.14.0).
hive.server2.enable.doAs true (default) Use for protected access through HiveServer2.

* In secure clusters, the Data Fabric "secure-by-default" configuration implicitly configures these properties in the hive-site.xml file.

SBA configuration example in hive-site.xml File

<property>
    <name>hive.security.metastore.authorization.manager</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
 </property>

<property>
    <name>hive.security.metastore.authenticator.manager</name>
    <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
    </value> 
</property>

<property>
    <name>hive.security.metastore.authorization.auth.reads</name>
    <value>true</value> 
</property>

<property>
    <name>hive.server2.enable.doAs</name>
    <value>true</value> 
</property>

<property>
    <name>hive.metastore.pre.event.listeners</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value> 
</property>
If you use storage-based authorization, you still need to use one of the following authorization models to protect actions within the HiveServer2: