Q: Which Hive version could enable Sentry with Hive Authorization V2
...
(1)Here is the release date of Hive, since 0.13.0 is released at 2014/04/15, it may not a good backport for 1.1.0
hive-0.13.0 2014-04-15
...
hive-1.1.0 2015-03-09
hive-1.1.1 2015-05-21
hive-1.2.0 2015-05-15
hive-1.2.1 2015-06-26
hive-2.0.0 2016-02-15
(2)While we are fixing the E2E Tests of Hive binding V2, we also have some fixes at hive side, they are HIVE-11780, HIVE-11498, HIVE-11190, HIVE-11179. Especially HIVE-11179 which blocks the authorization of URI type privilege in Sentry. Hive 1.3.0 and Hive 2.0.0 can be adapted in theory, since 1.3.0 is not released, our E2E test works for Hive 2.0.0.
Q: Is there any backward incompatible changes? Upgrade concerns?
Here is the configuration need to be updated.
How to configure Kafka to use Sentry for authorization
| Configuration Key | Configuration Value |
|---|---|
| hive.security.authorization.task.factory | org.apache.sentry.binding.hive.v2.SentryHiveAuthorizationTaskFactoryImplV2 |
| hive.server2.session.hook | org.apache.sentry.binding.hive.v2.HiveAuthzBindingSessionHookV2 |
| hive.metastore.rawstore. |
...
| impl | org.apache.sentry.binding.hive.v2.metastore.AuthorizingObjectStoreV2 |
| hive.metastore.pre.event.listeners | org.apache.sentry.binding.hive.v2.metastore.MetastoreAuthzBindingV2 |
| hive.server2.enable.doAs | false |
| hive.security.authorization.enabled | true |
| hive.security.authorization.manager | org.apache.sentry.binding.hive.v2.SentryAuthorizerFactory |
| hive |
...
| . |
...
| security.authenticator.manager | org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator |
Any known regressions in V2? Any concern areas?