...
See details in the HCatalog Storage Based Authorization document.
Starting in Hive 0.14, storage based authorization authorizes read privilege on database and tables. The get_database
api call needs database directory read privilege. The get_table_*
calls that fetch table information and get_partition_*
calls to list the partitions of a table require read privilege on the table directory. It is enabled by default with storage based authorization. See hive.security.metastore.authorization.auth.reads in the next section on configuration.
Configuration Parameters for Metastore Security
...
hive.metastore.pre.event.listeners
Set to
org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
.This turns on metastore-side security.
hive.security.metastore.authorization.manager
Set to
org.apache.hadoop.hive.ql.security.authorization.
DefaultHiveMetastoreAuthorizationProviderStorageBasedAuthorizationProvider
.This tells Hive which metastore-side authorization provider to use. The default setting uses
DefaultHiveMetastoreAuthorizationProvider
, which implements the standard Hive grant/revoke model. To use an HDFS permission-based model (recommended) to do your authorization, you can useorg.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider
insteadStorageBasedAuthorizationProvider
as instructed above.Info title Versions 0.10.0 and 0.12.0 The
StorageBasedAuthorizationProvider
was introduced in Hive 0.10.0, running on the metastore side only (HIVE-3705). Starting in Hive 0.12.0 it also runs on the client side (HIVE-5048 and HIVE-5402).
hive.security.metastore.authenticator.manager
Set to
org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
.
hive.security.metastore.authorization.auth.reads
When this is set to true, Hive metastore authorization also checks for read access. It is set to true by default. Read authorization checks were introduced in Hive 0.14.0.
Sample hive-site.xml: Default Settings
...