hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Hadoop Wiki] Update of "Hive/LanguageManual/Auth" by JonathanNatkins
Date Wed, 30 Mar 2011 22:40:10 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Hadoop Wiki" for change notification.

The "Hive/LanguageManual/Auth" page has been changed by JonathanNatkins.
http://wiki.apache.org/hadoop/Hive/LanguageManual/Auth

--------------------------------------------------

New page:
= Hive Authorization =

<<TableOfContents>>

== Disclaimer ==
Hive authorization is not completely secure.  In its current form, the authorization scheme
is intended primarily to prevent good users from accidentally doing bad things, but makes
no promises about preventing malicious users from doing malicious things.

== Prerequisites ==
In order to use Hive authorization, there are two parameters that should be set in hive-site.xml

{{{
<property>
  <name>hive.security.authorization.enabled</name>
  <value>true</value>
  <description>enable or disable the hive client authorization</description>
</property>

<property>
  <name>hive.security.authorization.createtable.user.grants</name>
  <value>ALL</value>
  <description>the privileges automatically granted to some users whenever a table gets
created. 
   An example like "userX,userY:select;userZ:create" will grant select privilege to userX
and userY, 
   and grant create privilege to userZ whenever a new table created.</description>
</property>
}}}

Note that, by default, the hive.security.authorization.createtable.user.grants are set to
null, which would result in the creator of a table having no access to the table.

== Users, Groups, and Roles ==
At the core of Hive's authorization system are users, groups, and roles.  Roles allow administrators
to give a name to a set of grants which can be easily reused.  A role may be assigned to users,
groups, and other roles.  For example, consider a system with the following users and groups:

(User: Groups)
user_all_dbs: group_db1, group_db2
user_db1: group_db1
user_db2: group_db2

If we wanted to restrict each user to a specific set of databases, we could use roles to build
the authorization mechanism.  The administrator would create two roles, called role_db1 and
role_db2.  The role_db1 role would provide privileges just for the first database, and the
role_db2 role would provide privileges just for the second database.  The administrator could
then grant the role_db1 role to group_db1, or explicitly for the users in the group, and do
the same for role_db2 with the users of the second database.  In order to allow users who
need to see all databases to get their appropriate privileges, a third role could be created
called role_all_dbs, which would be granted role_db1 and role_db2.  When user_all_dbs is granted
the role_all_dbs role, the user implicitly is granted all the privileges of role_db1 and role_db2.

Hive roles must be created manually before being used, unlike users and groups.  Users and
groups are managed by the hive.security.authenticator.manager.  When a user connects to a
Metastore Server and issues a query, the Metastore will determine the username of the connecting
user, and the groups associated with that ushive.security.authorization.ername.  That information
is then used to determine if the user should have access to the metadata being requested,
by comparing the required privileges of the Hive operation to the user privileges using the
following rules:

1. User privileges (Has the privilege been granted to the user)
2. Group privileges (Does the user belong to any groups that the privilege has been granted
to)
3. Role privileges (Does the user or any of the groups that the user belongs to have a role
that grants the privilege)

By default, the Metastore uses the HadoopDefaultAuthenticator for determing user -> group
mappings, which determines authorization by using the Unix usernames and groups on the machine
where the Metastore is running.  To make this more clear, consider a scenario where a user
foo is a member of group bar on the machine running the Hive CLI, and connects to a Metastore
running on a separate server that also has a user named foo, but on the Metastore Server,
foo is a member of group baz.  When an operation is executed, the Metastore will determine
foo to be in the group baz.

Taking this a step further, it is also possible for the groups that a user belongs to on the
Metastore Server may differ from the groups that the same user belongs to, as determined by
HDFS.  This could be the case if Hive or HDFS are configured to use non-default user ->
group mappers, or the Metastore and the Namenode both use the defaults, but the processes
are running on different machines, and the user -> group mappings are not the same on each
machine.

It is important to realize that Hive Metastore only controls authorization for metadata, and
the underlying data is controlled by HDFS, so if permissions and privileges between the two
systems are not in sync, users may have access to metadata, but not the physical data.  If
the user -> group mappings across the Metastore and Namenode are not in sync, as in the
scenarios above, a user may have the privileges required to access a table according to the
Metastore, but may not have permission to access the underlying files according to the Namenode.
 This could also happen due to administrator intervention, if permissions on the files were
changed by hand, but Metastore grants had not been updated.

== Creating/Dropping/Using Roles ==
=== Create/Drop Role ===
{{{
CREATE ROLE role_name

DROP ROLE role_name
}}}

=== Grant/Revoke Roles ===
{{{
GRANT ROLE role_name [, role_name] ...
TO principal_specification [, principal_specification] ...

REVOKE ROLE role_name [, role_name] ...
FROM principal_specification [, principal_specification] ...

principal_specification
  : USER user
  | GROUP group
  | ROLE role
}}}

=== Viewing Granted Roles ===
{{{
SHOW ROLE GRANT principal_specification
}}}


== Privileges ==
The following privileges are supported in Hive:

ALL - Gives users all privileges
ALTER - Allows users to modify the metadata of an object
UPDATE - Allows users to modify the physical data of an object
CREATE - Allows users to create objects.  For a database, this means users can create tables,
and for a table, this means users can create partitions
DROP - Allows users to drop objects
INDEX - Allows users to create indexes on an object (Note: this is not currently implemented)
LOCK - Allows users to lock or unlock tables when concurrency is enabled
SELECT - Allows users to access data for objects
SHOW_DATABASE - Allows users to view available databases


=== Grant/Revoke Privileges ===
{{{
GRANT
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    [ON object_type]
    TO principal_specification [, principal_specification] ...
    [WITH GRANT OPTION]

REVOKE
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    [ON object_type priv_level]
    FROM principal_specification [, principal_specification] ...

REVOKE ALL PRIVILEGES, GRANT OPTION
    FROM user [, user] ...

object_type:
    TABLE
  | DATABASE

priv_level:
    db_name
  | tbl_name
}}}

=== Viewing Granted Privileges ===
{{{
SHOW GRANT principal_specification
[ON object_type priv_level [(column_list)]]
}}}

== Hive Operations and Required Privileges ==
As of the release of Hive 0.7, only these operations require permissions, according to org.apache.hadoop.hive.ql.plan.HiveOperation:

|| Operation                       || ALTER || UPDATE || CREATE || DROP || INDEX || LOCK ||
SELECT || SHOW_DATABASE ||
|| LOAD                            ||       || X      ||        ||      ||       ||      ||
       ||               ||
|| EXPORT                          ||       ||        ||        ||      ||       ||      ||
X      ||               ||
|| IMPORT                          || X     || X      ||        ||      ||       ||      ||
       ||               ||
|| CREATE TABLE                    ||       ||        || X      ||      ||       ||      ||
       ||               ||
|| CREATE TABLE AS SELECT          ||       ||        || X      ||      ||       ||      ||
X      ||               ||
|| DROP TABLE                      ||       ||        ||        || X    ||       ||      ||
       ||               ||
|| SELECT                          ||       ||        ||        ||      ||       ||      ||
X      ||               ||
|| ALTER TABLE ADD COLUMN          || X     ||        ||        ||      ||       ||      ||
       ||               ||
|| ALTER TABLE REPLACE COLUMN      || X     ||        ||        ||      ||       ||      ||
       ||               ||
|| ALTER TABLE RENAME              ||   X   ||        ||        ||      ||       ||      ||
       ||               ||
|| ALTER TABLE ADD PARTITION       ||       ||        ||   X    ||      ||       ||      ||
       ||               ||
|| ALTER TABLE DROP PARTITION      ||       ||        ||        ||  X   ||       ||      ||
       ||               ||
|| ALTER TABLE ARCHIVE             ||       ||    X   ||        ||      ||       ||      ||
       ||               ||
|| ALTER TABLE UNARCHIVE           ||       ||    X   ||        ||      ||       ||      ||
       ||               ||
|| ALTER TABLE SET PROPERTIES      ||   X   ||        ||        ||      ||       ||      ||
       ||               ||
|| ALTER TABLE SET SERDE           ||   X   ||        ||        ||      ||       ||      ||
       ||               ||
|| ALTER TABLE SET SERDE           ||   X   ||        ||        ||      ||       ||      ||
       ||               ||
|| ALTER TABLE SET SERDEPROPERTIES ||   X   ||        ||        ||      ||       ||      ||
       ||               ||
|| ALTER TABLE CLUSTER BY          ||   X   ||        ||        ||      ||       ||      ||
       ||               ||
|| ALTER TABLE PROTECT MODE        ||   X   ||        ||        ||      ||       ||      ||
       ||               ||
|| ALTER PARTITION PROTECT MODE    ||   X   ||        ||        ||      ||       ||      ||
       ||               ||
|| ALTER TABLE SET FILEFORMAT      ||   X   ||        ||        ||      ||       ||      ||
       ||               ||
|| ALTER PARTITION SET FILEFORMAT  ||   X   ||        ||        ||      ||       ||      ||
       ||               ||
|| ALTER TABLE SET LOCATION        ||       ||    X   ||        ||      ||       ||      ||
       ||               ||
|| ALTER PARTITION SET LOCATION    ||       ||    X   ||        ||      ||       ||      ||
       ||               ||
|| ALTER TABLE CONCATENATE         ||       ||    X   ||        ||      ||       ||      ||
       ||               ||
|| ALTER PARTITION CONCATENATE     ||       ||    X   ||        ||      ||       ||      ||
       ||               ||
|| SHOW DATABASES                  ||       ||        ||        ||      ||       ||      ||
       ||     X         ||
|| LOCK TABLE                      ||       ||        ||        ||      ||       ||  X   ||
       ||               ||
|| UNLOCK TABLE                    ||       ||        ||        ||      ||       ||  X   ||
       ||               ||

Mime
View raw message