Wednesday, November 19, 2014

How to enable SQL Standard-Based Authorization in Hive


Env: Hive 0.13
Reference:
SQL Standard Based Hive Authorization

1. Set below parameters in hive-site.xml

<property>
    <name>hive.server2.enable.doAs</name>
    <value>false</value>
</property>

<property>
    <name>hive.users.in.admin.role</name>
    <value>mapr</value>
</property>

<property>
    <name>hive.security.authorization.manager</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
</property>

<property>
    <name>hive.security.authorization.enabled</name>
    <value>true</value>
</property>

<property>
    <name>hive.security.authenticator.manager</name>
    <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
</property>

2. [Important] Before restarting HiveServer2, firstly grant admin role to the user in Beeline.

grant admin to user mapr;
This is to make sure the specified admin user has the admin role.
If we ignore this step in Hive 0.13, then later we can not set the role to admin even if the user is specified in  hive.users.in.admin.role.
For example:
0: jdbc:hive2://xxx:10000/default> set hive.users.in.admin.role;
+----------------------------------------------+
|                     set                      |
+----------------------------------------------+
| hive.users.in.admin.role=mapr                |
+----------------------------------------------+
1 row selected (0.05 seconds)

0: jdbc:hive2://xxx:10000/default> set role admin;    
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. mapr doesn't belong to role admin (state=08S01,code=1)

3. Start HiveServer2 with the following additional command-line options.

-hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
-hiveconf hive.security.authorization.enabled=true
-hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator

4.  Test admin role.

0: jdbc:hive2://xxx:xxx/default> set role admin;                                           
No rows affected (0.824 seconds)
0: jdbc:hive2://xxx:xxx/default> show current roles;
+--------+
|  role  |
+--------+
| admin  |
|        |
+--------+
2 rows selected (0.391 seconds)

No comments:

Post a Comment

Popular Posts