Storage-based mode

The storage-based authorization mode (since Hive v0.10.0) relies on the authorization provided by the storage-layer HDFS, which provides both POSIX and ACL permissions (available since Hive v0.14.0; refer to https://issues.apache.org/jira/browse/HIVE-7583). Storage-based authorization is enabled in the metastore server; it has a single consistent view of metadata across other applications in the ecosystem. This mode checks user permissions against the POSIX permissions on the corresponding file directories in HDFS. In addition to the POSIX permissions model, HDFS also provides access-control lists described in ACLs on HDFS at http://hadoop.apache.org/docs/r2.4.0/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#ACLs_Access_Control_Lists.

Considering its implementation, the storage-based authorization mode only offers authorization at the level of databases, tables, and partitions rather than column- and row-level. With dependency on the HDFS permissions, it lacks the flexibility to manage authorization through HQL statements. To enable storage-based authorization mode, we can set the following properties in the hive-site.xml file:

<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
<description>enable or disable the hive client authorization
</description>
</property>

</property>
<name>hive.metastore.pre.event.listeners</name>
<value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>
<description>This turns on metastore-side security.</description>
</property>

<property> 
<name>hive.security.authorization.manager</name> <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value> 
<description>The class name of the Hive client authorization manager.</description> 
</property> 

<property> 
<name>hive.security.metastore.authorization.manager</name> <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
</value> 
<description>authenticator manager class name to be used in the metastore for authentication.</description> 
</property> 

<property>
<name>hive.security.metastore.authorization.auth.reads</name>
<value>true</value>
<description>If this is true, metastore authorizer authorizes read actions on database, table</description>
</property>
With effect from Hive v0.14.0, storage-based authorization also authorizes read privileges on databases and tables by default through the hive.security.metastore.authorization.auth.reads property. For more information, please refer to https://issues.apache.org/jira/browse/HIVE-8221.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.235.188