SQL Standards-Based Hive Authorization
Using EEP 6.0.0 and later, you can configure SQL standards-based authorization to enable fine grained access control with SQL commands.
The SQL standards-based authorization mode can be used in conjunction with storage-based authorization on the Metastore server. Like the current default authorization in Hive, SQL standards-based authorization is also enforced at query compilation time. To provide security through this option, the client must be secured. You can do this by allowing users access only through HiveServer2, and by restricting the user code and non-SQL commands that can be run. The checks will happen against the user who submits the request, but the query will run as the Hive server user. The directories and files for input data would have read access for this Hive server user. For users who do not need to protect against malicious users, this could potentially be supported through the Hive command line as well.
- Add the following properties to
hive-site.xml
:<!-- SQL standard based authorization --> <property> <name>hive.server2.enable.doAs</name> <value>false</value> </property> <property> <name>hive.users.in.admin.role</name> <value>mapr</value> </property> <property> <name>hive.security.metastore.authorization.manager</name> <value>org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly</value> </property> <property> <name>hive.security.authorization.manager</name> <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory</value> </property>
- Create a
hiveserver2-site.xml
configuration file:
Add the following properties to thetouch /opt/mapr/hive/hive-<version>/conf/hiveserver2-site.xml
hiveserver2-site.xml
file:<configuration> <property> <name>hive.security.authorization.manager</name> <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value> </property> <property> <name>hive.security.authorization.enabled</name> <value>true</value> </property> <property> <name>hive.security.authenticator.manager</name> <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value> </property> <property> <name>hive.metastore.uris</name> <value></value> </property> </configuration>
- Change the owner of the
hiveserver2-site.xml
file tomapr
, and restart Hive services:chown mapr:mapr /opt/mapr/hive/hive-<version>/conf/hiveserver2-site.xml maprcli node services -name hs2 -action restart -nodes `hostname -f` maprcli node services -name hivemeta -action restart -nodes `hostname -f`
If you are a database administrator and want to run commands such as create
role
and drop role
or access objects without being given
explicit access, you must run the set role
command.
- Create a test role:
hive> set role admin; OK Time taken: 0.02 seconds hive> create role example_role; OK Time taken: 0.099 seconds hive> show roles; OK admin public role1 example_role Time taken: 0.02 seconds, Fetched: 3 row(s)
- Grant access:
hive> GRANT example_role to USER testuser; OK Time taken: 0.058 seconds hive> GRANT SELECT on table eg_test to role example_role; OK Time taken: 0.146 seconds
- Using the test role, check access:
sudo -u mapruser1 hive
If there is an access violation, correct it. The following is an example of an access violation error:hive> insert into table eg_test values (4), (5), (6); FAILED: RuntimeException Cannot create staging directory 'maprfs:///user/hive/warehouse/eg_test/.hive-staging_hive_2018-06-08_10-24-11_566_5325052587659005252-1': User mapruser1(user id 5001) has been denied access to create .hive-staging_hive_2018-06-08_10-24-11_566_5325052587659005252-1
You can apply access restrictions to all actions except for READ access.
The following are examples of permitted access operations:
- Select:
hive> select count (*) from eg_test; OK 3 Time taken: 2.491 seconds, Fetched: 1 row(s)
- Describe:
hive> describe extended eg_test; OK id int Detailed Table Information Table(tableName:eg_test, dbName:default, owner:mapr, createTime:1528453013, lastAccessTime:0, retention:0, sd:StorageDescriptor(cols:[FieldSchema(name:id, type:int, comment:null)], location:maprfs:/user/hive/warehouse/eg_test, inputFormat:org.apache.hadoop.mapred.TextInputFormat, outputFormat:org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat, compressed:false, numBuckets:-1, serdeInfo:SerDeInfo(name:null, serializationLib:org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe, parameters:{serialization.format=1}), bucketCols:[], sortCols:[], parameters:{}, skewedInfo:SkewedInfo(skewedColNames:[], skewedColValues:[], skewedColValueLocationMaps:{}), storedAsSubDirectories:false), partitionKeys:[], parameters:{totalSize=6, numRows=3, rawDataSize=3, COLUMN_STATS_ACCURATE={"BASIC_STATS":"true"}, numFiles=1, transient_lastDdlTime=1528453046}, viewOriginalText:null, viewExpandedText:null, tableType:MANAGED_TABLE, rewriteEnabled:false) Time taken: 0.12 seconds, Fetched: 3 row(s)
- Show columns:
hive> SHOW COLUMNS from eg_test; OK id Time taken: 0.049 seconds, Fetched: 1 row(s)
- Select: