Integrating Hive Metastore with Ranger
Describes how to integrate Hive Metastore with Ranger.
Hive Metastore interacts directly with external clients such as Spark and Drill. Therefore, filtering and masking functionalities are not applicable for external clients.
Hive Metastore stores and manages metadata about Hive resources such as databases, tables,
and columns. It is responsible for queries such as the following (not a complete list):
- CREATE
- SHOW
- DESCRIBE
- ALTER
- DROP
- SELECT
- UPDATE
- INSERT
- DELETE
- TRUNCATE
After you have successfully enabled the Ranger Hive plug-in and configured policies, use
the following steps to enable Ranger authorization in the Hive Metastore:
- In the
hive-site.xml
file, set thehive.security.authorization.manager
property toorg.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory
:<property> <name>hive.security.authorization.manager</name> <value>org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory</value> </property>
- In the
hive-site.xml
file, add theHiveMetaStoreAuthorizer
class tohive.metastore.pre.event.listeners
:<property> <name>hive.metastore.pre.event.listeners</name> <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener,org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer</value> </property>
- Restart the Hive Metastore. Restarting causes Ranger privilege checks to be
performed on each request to the Hive
Metastore:
maprcli node services -nodes <nodes> -name hivemeta -action restart
- To disable Hive Metastore authentication with Ranger, return the following
properties to their default values:
<property> <name>hive.security.authorization.manager</name> <value> org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory</value> </property> <property> <name>hive.metastore.pre.event.listeners</name> <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value> </property>