...
The default authorization model of Hive supports a traditional RDBMS style of authorization based on users, groups and roles and granting them permissions to do operations on database or table. It is descibed in more detail in https://cwiki.apache.org/Hive/languagemanual-auth.html
.
This RDBMS style of authorization is not very suitable for the typical use cases in Hadoop because of the following differences in implementation:
...
Details of HDFS permissions are given here: [in the Permissions Guide|: http://hadoop.apache.org/common/docs/r1.0.2/hdfs_permissions_guide.html Permissions Guide.
The following table shows the minimum permissions required for Hive operations under this authorization model:
Caution: This authorization model does not prevent malicious users from doing bad things because of the way authorization is currently implemented in Hive. See the Known Issues section below.
Configuring File-System-Based Authorization
The implementation of the file-system-based authorization model is available in the HCatalog package. (Support for this is likely to be added to the Hive package in the future.) So using this is requires installing the HCatalog package along with Hive.
The HCatalog jar needs to be added to the Hive classpath. You can add the following to hive-env.sh to ensure that it gets added:
export HIVE_AUX_JARS_PATH=<path to hcatalog jar>
The following entries need to be added to hive-site.xml to enable authorization:
{{ <property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
<description>enable or disable the hive client authorization</description>
</property>
<property>
<name>hive.security.authorization.manager</name>
<value>org.apache.hcatalog.security.HdfsAuthorizationProvider</value>
<description>the hive client authorization manager class name.
The user defined authorization class should implement interface
org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider.</description>
</property>}}
To disable authorization, set hive.security.authorization.enabled to false. To use the default authorization model of Hive, don’t set the hive.security.authorization.manager property.