hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sriram Krishnan <>
Subject Re: hive permissions issue on a database
Date Tue, 02 Oct 2012 04:21:57 GMT
In general, Hive authorization is not very secure, as is documented on the wiki:

You are likely running into this issue: Try
this as user demo2: "use demo1db; drop table table1". That should fail – at least as per
my tests. Also, do you enable drop privileges to all users in your default database? If so,
you may want to revoke that – and that will prevent users from dropping tables while they
are in the default database. However, it is not going to be fool-proof because users can always
run a command such as "use my_db; drop table".

As for show tables, are you saying that tables created by one user is not shown to another?
Or the same user?


From: Rahul Sarma <<>>
Reply-To: <<>>
Date: Mon, 1 Oct 2012 20:58:31 -0700
To: <<>>
Subject: Re: hive permissions issue on a database

Hi Bejoy,

Thanks for your help. Is there any other way to meet this requirement? How about giving it
at the table level?
Also can you share some thoughts on why my "show tables" command doesn't show me the tables
created by the user?

Rahul Sarma

On Mon, Oct 1, 2012 at 8:01 PM, Bejoy KS <<>>
Hi Rahul

Hive currently have this limitation. You can have permissions on hdfs but not on the metastore.
So as a result any user can drop any table in hive. I have seen such discussions popping up
before as well since it a genuine requirement you can expect permissions on metastore level
in future versions of hive.
Bejoy KS

Sent from handheld, please excuse typos.
From: Rahul Sarma <<>>
Date: Mon, 1 Oct 2012 11:50:19 -0700
To: <<>>
Subject: hive permissions issue on a database

I have a Hadoop cluster running CDH4 version. I am having issues giving privileges to users
on hive. My requirement is for each linux user I need to create a database on hive and give
access to only that user(or group). So other users should not be able to see those tables
or do anything with them. I already have separate folders in HDFS for each user with selective
permissions. Here is what I have done:

  *   My Hive is connected to oracle 11g as its metastore. The tables are all created.

  *   Modify /etc/hive/conf/hive-site.xml and make set ""
= true. Also "" = All.

  *   Created Linux users demo1 & demo2 with same group name i.e. demo1 & demo2 Logged
in hive prompt as root, and created 2 databases demo1db & demo2db.

  *   Created 2 roles, demo1_role & demo2_role Assigned the groups to the role i.e. demo1
group belongs to demo1_role & demo2 group belongs to demo2_role.

  *   Grant "All" to demo1db to demo1_role and demo2db to demo2_role

  *   Login as demo1 and get into the hive prompt. Create table demo1db.table1.

  *   Login as demo2 and get into hive prompt. Drop table demo1db.table1. And it allows to
drop !!!!.Though it cannot delete the associated data in HDFS as demo2 does not have access
to the folder that demo1 controls. The table is dropped from metastore. The same happens when
I create table with demo2 user and demo1 is able to drop it.

What have I done wrong? Also I noticed that when I do "show tables;" under demo1, it does
not show anything?

Any suggestions?

Rahul Sarma

View raw message