Configuring Fallback Hive Authorizer
You can enable protection of actions within the HiveServer2 instance by using the Fallback Authorizer.
About this task
To enable Fallback Authorization
for Hive clients, set these properties in the
hive-site.xml
file:Property | Value | Description |
---|---|---|
hive.security.authorization.enabled |
true* |
Enable or disable the Hive client authorization. |
hive.security.authorization.manager |
org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory* |
Class name for the Hive client authorization manager. |
hive.users.in.admin.role |
mapr* |
Comma-separated list of users who need to be added to the
admin role. Note that a user who belongs to the
admin role needs to run the set role command
before getting the privileges of the admin role, as the
admin role is not in current roles by
default. |
* In secure clusters, the HPE Ezmeral Data Fabric
"Secure-by-Default" configuration implicitly configures the Fallback Authorizer in the
hive-site.xml
file.
Fall Back Authorizer applies the following
restrictions:
- Allows
set
only for selected allowlist parameters. - Disallows dfs commands except for
admin
. - Disallows local file location in SQL statements except for
admin
. - Disallows
ADD JAR
,COMPILE
, andTRANSFORM
statements.
Fallback Authorization Configuration Example in hive-site.xml
File
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory</value>
</property>
<property>
<name>hive.users.in.admin.role</name>
<value>mapr</value>
</property>