Integrating Hive Metastore with Ranger

Describes how to integrate Hive Metastore with Ranger.

Hive Metastore interacts directly with external clients such as Spark and Drill. Therefore, filtering and masking functionalities are not applicable for external clients.

Hive Metastore stores and manages metadata about Hive resources such as databases, tables, and columns. It is responsible for queries such as the following (not a complete list):
  • CREATE
  • SHOW
  • DESCRIBE
  • ALTER
  • DROP
  • SELECT
Integrating Ranger with Hive Metastore protects the preceding queries but does not protect queries that work with real, physical data, such as the following (not a complete list):
  • UPDATE
  • INSERT
  • DELETE
  • TRUNCATE
After you have successfully enabled the Ranger Hive plug-in and configured policies, use the following steps to enable Ranger authorization in the Hive Metastore:
  1. In the hive-site.xml file, set the hive.security.authorization.manager property to org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory:
    <property> 
    
    <name>hive.security.authorization.manager</name> 
    <value>org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory</value>  
    
    </property>  
  2. In the hive-site.xml file, add the HiveMetaStoreAuthorizer class to hive.metastore.pre.event.listeners:
    <property> 
    
    <name>hive.metastore.pre.event.listeners</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener,org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer</value>  
    
    </property>  
  3. Restart the Hive Metastore. Restarting causes Ranger privilege checks to be performed on each request to the Hive Metastore:
    maprcli node services -nodes <nodes> -name hivemeta -action restart 
  4. To disable Hive Metastore authentication with Ranger, return the following properties to their default values:
    <property> 
    
    <name>hive.security.authorization.manager</name> 
    <value> org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory</value>  
    
    </property> 
    <property> 
    
    <name>hive.metastore.pre.event.listeners</name> 
    <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>  
    
    </property>