hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rahul Sarma <rahulsa...@gmail.com>
Subject Re: hive permissions issue on a database
Date Tue, 02 Oct 2012 04:29:00 GMT
Hi Sriram

Let me try that option.

On default I have only create permissions.

And yes a user is not able to see own tables.
On Oct 1, 2012 9:22 PM, "Sriram Krishnan" <skrishnan@netflix.com> wrote:

>  In general, Hive authorization is not very secure, as is documented on
> the wiki:
> https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization
> .
>
>  You are likely running into this issue:
> https://issues.apache.org/jira/browse/HIVE-2538. Try this as user demo2:
> "use demo1db; drop table table1". That should fail – at least as per my
> tests. Also, do you enable drop privileges to all users in your default
> database? If so, you may want to revoke that – and that will prevent users
> from dropping tables while they are in the default database. However, it is
> not going to be fool-proof because users can always run a command such as
> "use my_db; drop table other_db.foo".
>
>  As for show tables, are you saying that tables created by one user is
> not shown to another? Or the same user?
>
>  Sriram
>
>   From: Rahul Sarma <rahulsarma@gmail.com>
> Reply-To: <user@hive.apache.org>
> Date: Mon, 1 Oct 2012 20:58:31 -0700
> To: <user@hive.apache.org>
> Subject: Re: hive permissions issue on a database
>
>  Hi Bejoy,
>
>  Thanks for your help. Is there any other way to meet this requirement?
> How about giving it at the table level?
> Also can you share some thoughts on why my "show tables" command doesn't
> show me the tables created by the user?
>
> Regards,
> Rahul Sarma
>
>
> On Mon, Oct 1, 2012 at 8:01 PM, Bejoy KS <bejoy_ks@yahoo.com> wrote:
>
>> **
>> Hi Rahul
>>
>> Hive currently have this limitation. You can have permissions on hdfs but
>> not on the metastore. So as a result any user can drop any table in hive. I
>> have seen such discussions popping up before as well since it a genuine
>> requirement you can expect permissions on metastore level in future
>> versions of hive.
>> Regards
>> Bejoy KS
>>
>> Sent from handheld, please excuse typos.
>> ------------------------------
>> *From: *Rahul Sarma <rahulsarma@gmail.com>
>> *Date: *Mon, 1 Oct 2012 11:50:19 -0700
>> *To: *<user@hive.apache.org>
>> *ReplyTo: *user@hive.apache.org
>> *Subject: *hive permissions issue on a database
>>
>>   I have a Hadoop cluster running CDH4 version. I am having issues
>> giving privileges to users on hive. My requirement is for each linux user I
>> need to create a database on hive and give access to only that user(or
>> group). So other users should not be able to see those tables or do
>> anything with them. I already have separate folders in HDFS for each user
>> with selective permissions. Here is what I have done:
>>
>>    -
>>
>>    My Hive is connected to oracle 11g as its metastore. The tables are
>>    all created.
>>    -
>>
>>    Modify /etc/hive/conf/hive-site.xml and make set
>>    "hive.security.authorization.enabled" = true. Also
>>    "hive.security.authorization.createtable.owner.grants" = All.
>>    -
>>
>>    Created Linux users demo1 & demo2 with same group name i.e. demo1 &
>>    demo2 Logged in hive prompt as root, and created 2 databases demo1db &
>>    demo2db.
>>    -
>>
>>    Created 2 roles, demo1_role & demo2_role Assigned the groups to the
>>    role i.e. demo1 group belongs to demo1_role & demo2 group belongs to
>>    demo2_role.
>>    -
>>
>>    Grant "All" to demo1db to demo1_role and demo2db to demo2_role
>>    -
>>
>>    Login as demo1 and get into the hive prompt. Create table
>>    demo1db.table1.
>>    -
>>
>>    Login as demo2 and get into hive prompt. Drop table demo1db.table1. *And
>>    it allows to drop !!!!.*Though it cannot delete the associated data
>>    in HDFS as demo2 does not have access to the folder that demo1 controls.
>>    The table is dropped from metastore. The same happens when I create table
>>    with demo2 user and demo1 is able to drop it.
>>
>>  What have I done wrong? Also I noticed that when I do "show tables;"
>> under demo1, it does not show anything?
>>
>> Any suggestions?
>>
>> Regards,
>> Rahul Sarma
>>
>
>

Mime
View raw message