Table of Contents | ||
---|---|---|
|
Status of Hive Authorization before Hive 0.13
...
There are two roles with special meaning – public and admin.
All users belong to the public role. You use this role in your grant statement to grant a privilege to all users.
When a user runs a Hive query or command, the privileges granted to the user and her "current roles" are checked. The current roles can be seen using the "show current roles;
" command. All of the user's roles except for the admin role will be in the current roles by default, although you can use the "set role
" command to set a specific role as the current role. See the command descriptions for details.
Users who do the work of a database administrator are expected to be added to the admin role.
They have privileges for running additional commands such as "create role
" and "drop role
". They can also access objects that they haven’t been given explicit access to. However, a user who belongs to the admin role needs to run the "set role
" command before getting the privileges of the admin role, as this role is not in current roles by default.
...
User names are case sensitive. This is because, unlike role names, user names are not managed within Hive. The user can be any user that the hiveserver2 authentication mode supports.
Quoted Identifiers
User and role names may optionally be surrounded by backtick characters (`) when the configuration parameter hive.support.quoted.identifiers
is set to column
(default value). All Unicode characters are permitted in the quoted identifiers, with double backticks (``) representing a backtick character. However when hive.support.quoted.identifiers
is set to none
, only alphanumeric and underscore characters are permitted in user names and role names.
For details, see HIVE-6013 and Supporting Quoted Identifiers in Column Names.
As of Hive 0.14, user may be optionally surrounded by backtick characters (`) irrespective of the hive.support.quoted.identifiers
setting.
Role Management Commands
Create Role
...
Code Block | ||
---|---|---|
| ||
SHOW CURRENT ROLES; |
Shows the list of the user's current roles. All actions of the user are authorized by looking at the privileges of the user and all current roles of the user.
...
Code Block | ||
---|---|---|
| ||
SET ROLE (role_name|ALL|NONE); |
If a role_name is specified, then that role becomes the only role in current roles.
Setting role_name to ALL refreshes the list of current roles (in case new roles were granted to the user) and sets them to the default list of roles.
If a role the user does not belong to is specified as the role_name, it will result in an error.
Show Roles
Setting role_name to NONE will remove all current roles from the current user. (It's introduced in HIVE-11780 and will be included in the upcoming versions 1.3.0 and 1.2.2.)
If a role the user does not belong to is specified as the role_name, it will result in an error.
Show Roles
Code Block | ||
---|---|---|
Code Block | ||
| ||
SHOW ROLES; |
List all currently existing roles.
...
If a user is granted a privilege WITH GRANT OPTION on a user table or a roleview, then the user can also grant/revoke privileges of other users the privileges it has and roles on those tablesobjects. As of Hive 0.14.0, the grant option for a privilege can be removed while still keeping the privilege by using REVOKE GRANT OPTION FOR <privilege> (HIVE-7404).
Note that in case of the REVOKE statement, the DROP-BEHAVIOR option of CASCADE is not currently supported (which is in SQL standard). As a result, the revoke statement will not drop any dependent privileges. For details on CASCADE behavior, you can check the Postgres revoke documentation.
...
Examples:
Code Block | ||
---|---|---|
| ||
SHOW GRANT [principal_name] ON (ALL| ([TABLE] table_or_view_name) |
where principal_name
is the name of a user or role.
Currently any user can run this command. But this is likely to change in the future to allow users to see only their own privileges, and additional privileges would be needed to see privileges of other users.
Examples of Managing Object Privileges
...
0: jdbc:hive2://localhost:10000/default> grant select on table secured_table to role my_role;
No rows affected (0.046 seconds)
0: jdbc:hive2://localhost:10000/default> revoke update, select on table secured_table from role my_role;
No rows affected (0.028 seconds) |
Notice that in Hive, unlike in standard SQL, USER or ROLE must be specified in the principal_specification.
Show Grant
Code Block | ||
---|---|---|
| ||
SHOW GRANT [principal_specification] ON (ALL | [TABLE] table_or_view_name);
principal_specification
: USER user
| ROLE role |
Currently any user can run this command. But this is likely to change in the future to allow users to see only their own privileges, and additional privileges would be needed to see privileges of other users.
Examples of Managing Object Privileges
Find out the privileges user ashutosh has on table hivejiratable:
Code Block | ||
---|---|---|
| ||
0: jdbc:hive2://localhost:10000> show grant user ashutosh on table hivejiratable; 0: jdbc:hive2://localhost:10000> show grant user ashutosh on table hivejiratable; +-----------+----------------+------------+---------+-------+----------+--+---------+-----------------+-----------------+------------+---------------+----------------+----------+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor | +-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ | default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas | | default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas | +-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ |
...
Y + G: Privilege "WITH GRANT OPTION" required.
Action | Select | Insert | Update | Delete | Ownership | Admin | URI Privilege (RWX Permission + Ownership) | |||
---|---|---|---|---|---|---|---|---|---|---|
CREATE TABLE | Y (of database) | Y (for create external table – the location) | ||||||||
DROP TABLE | Y | |||||||||
DESCRIBE TABLE | Y | |||||||||
SHOW PARTITIONS | Y | |||||||||
ALTER TABLE LOCATION | Y | Y (for new location) | ||||||||
ALTER PARTITION LOCATION | Y | Y (for new partition location) | ||||||||
ALTER TABLE ADD PARTITION | Y | Y (for partition location) | ||||||||
ALTER TABLE DROP PARTITION | Y | |||||||||
ALTER TABLE (all of them except the ones above) | Y | |||||||||
TRUNCATE TABLE | Y | |||||||||
CREATE VIEW | Y + G | |||||||||
ALTER VIEW PROPERTIES | Y | |||||||||
ALTER VIEW RENAME | Y | |||||||||
DROP VIEW PROPERTIES | Y | |||||||||
DROP VIEW | Y | |||||||||
ANALYZE TABLE | Y | Y | ||||||||
SHOW COLUMNS | Y | |||||||||
SHOW TABLE STATUS | Y | |||||||||
SHOW TABLE PROPERTIES | Y | |||||||||
CREATE TABLE AS SELECT | Y (of input) | Y (of database) | ||||||||
CREATE INDEX | Y (of table) | |||||||||
DROP INDEX | Y | |||||||||
ALTER INDEX REBUILD | Y | |||||||||
ALTER INDEX PROPERTIES | Y | QUERY (insert, select queries) | Y (input) | Y (output) | Y (output)||||||
SELECT | Y | |||||||||
INSERT | Y | Y (for OVERWRITE) | ||||||||
UPDATE | Y | |||||||||
DELETE | Y | |||||||||
LOAD | Y (output) | Y (output) | Y (input location) | |||||||
SHOW CREATE TABLE | Y+G | |||||||||
CREATE FUNCTION | Y | |||||||||
DROP FUNCTION | Y | |||||||||
CREATE MACRO | Y | |||||||||
DROP MACRO | Y | |||||||||
MSCK (metastore check) | Y | |||||||||
ALTER DATABASE | Y | |||||||||
CREATE DATABASE | Y (if custom location specified) | |||||||||
EXPLAIN | Y | |||||||||
DROP DATABASE | Y |
Configuration
Set the following in hive-site.xml:
- hive.server2.enable.doAs to false.
- hive.users.in.admin.role to the list of comma-separated users who need to be added to admin role. Note that a user who belongs to the admin role needs to run the "
set role
" command before getting the privileges of the admin role, as this role is not in current roles by default.
Start HiveServer2 with the following additional command-line options:
DROP DATABASE | Y |
Info | ||
---|---|---|
| ||
As of Hive 3.0.0 (HIVE-12408), Ownership is not required for the URI Privilege. |
Configuration
For Hive 0.13.x
Set the following in hive-site.xml:
- hive.server2.enable.doAs to false.
- hive.users.in.admin.role to the list of comma-separated users who need to be added to admin role. Note that a user who belongs to the admin role needs to run the "
set role
" command before getting the privileges of the admin role, as this role is not in current roles by default.
Start HiveServer2 with the following additional command-line options:
- -hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
- -hiveconf hive.security.authorization.enabled=true
- -hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator
- -hiveconf hive.metastore.uris=' '
For Hive 0.14 and Newer
Set the following in hive-site.xml:
- hive.server2.enable.doAs to false.
- hive.users.in.admin.role to the list of comma-separated users who need to be added to admin role. Note that a user who belongs to the admin role needs to run the "
set role
" command before getting the privileges of the admin role, as this role is not in current roles by default. Add org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly to hive.security.metastore.authorization.manager. (It takes a comma separated list, so you can add it along with StorageBasedAuthorization parameter, if you want to enable that as well).
This setting disallows any of the authorization api calls to be invoked in a remote metastore. HiveServer2 can be configured to use embedded metastore, and that will allow it to invoke metastore authorization api. Hive cli and any other remote metastore users would be denied authorization when they try to make authorization api calls. This restricts the authorization api to privileged HiveServer2 process. You should also ensure that the metastore rdbms access is restricted to the metastore server and hiverserver2.hive.security.authorization.manager to org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory. This will ensure that any table or views created by hive-cli have default privileges granted for the owner.
Set the following in hiveserver2-site.xml:
- -hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
- -hiveconf hive.security.authorization.enabled=true
- -hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator
- -hiveconf hive.metastore.uris=' '
Known Issues
...
- ISO 9075 Part 1 Framework sections 4.2.6 (Roles), 4.6.11 (Privileges)
- ISO 9075 Part 2 Foundation sections 4.35 (Basic security model) and 12 (Access control)
Troubleshooting
Problem: My user name is in hive.users.in.admin.role in hive-site.xml, but I still get the error that user is not an admin. What could be wrong?
...