hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vijay Toshniwal <vijay.toshni...@gmail.com>
Subject Re: Issues with hive storage based authorization
Date Wed, 15 Nov 2017 11:40:45 GMT
We are looking for database level access for user and group. A group of
users should only have write access to a particular database and read
access to some. They should not be able to create databases at there end.

I did tried sentry however facing some compatibility issues it seems. My
hive version is 1.2.1 and Hadoop 2.7.3. I tried to build sentry 1.5.1 from
github for the configuration mentioned however not able to build it
successfully as its giving error for hdfs-name-node plugin.  Will look at
it in more details.

Thanks for all your suggestions and help.

Regards,
Vijay


On Wed, Nov 15, 2017 at 5:00 PM, Jörn Franke <jornfranke@gmail.com> wrote:

> What kind of access do you need for a user?
>
> From a distance it is quiet difficult to judge, because we do not have all
> information and the Kerberos setup can be rather tricky (if not using a
> Hadoop distribution facilitating it).
>
> Usually fine granular access is supported by using Apache Ranger or Apache
> Sentry.
>
> On 15. Nov 2017, at 12:19, Vijay Toshniwal <vijay.toshniwal@gmail.com>
> wrote:
>
> Hi ,
>
> As per the suggestion I did kerberized the cluster however getting the
> same issue. Any user after authenticating using a keytab can go and create
> databases.
>
> One thing I observer was the dfs.permissions.enabled in hdfs-site.xml set
> to false. After setting it to true a user with required privilege on the
> warehouse dir was only able to create database. However that works without
> even enabling the hive storage based authorization. So not sure how hive
> storage base authorization will provided additional security. Definitely I
> am missing something.
>
> Please suggest.
>
> Thanks,
> Vijay
>
> On Thu, Nov 9, 2017 at 1:55 PM, Jörn Franke <jornfranke@gmail.com> wrote:
>
>> Then you need to kerberize it to support what you want
>>
>> On 9. Nov 2017, at 09:18, Vijay Toshniwal <vijay.toshniwal@gmail.com>
>> wrote:
>>
>> No its not.
>>
>> Thanks,
>> Vijay
>>
>> On Thu, Nov 9, 2017 at 1:09 PM, Jörn Franke <jornfranke@gmail.com> wrote:
>>
>>> Is your Hadoop cluster kerberized?
>>>
>>> On 9. Nov 2017, at 06:57, Vijay Toshniwal <vijay.toshniwal@gmail.com>
>>> wrote:
>>>
>>> Hi Team,
>>>
>>>
>>>
>>> I am facing issues while configuring hive storage based authorization. I
>>> followed the steps mentioned in https://cwiki.apache.org/confl
>>> uence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server
>>> however still any user can create database in hive (using beeline and cli)
>>> at will though not able to delete other users databases. My hive directory
>>> permission is set to 770 (hive:hadoop).Below are the parameters that I
>>> added to hive-site.xml:
>>>
>>>
>>>
>>> hive.metastore.pre.event.listeners: org.apache.hadoop.hive.ql.secu
>>> rity.authorization.AuthorizationPreEventListener
>>>
>>> hive.security.metastore.authorization.auth.reads: true
>>>
>>> hive.security.metastore.authenticator.manager:org.apache.had
>>> oop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
>>>
>>> hive.security.metastore.authorization.manager:
>>> org.apache.hadoop.hive.ql.security.authorization.StorageBase
>>> dAuthorizationProvider
>>>
>>> hive.metastore.execute.setugi: true
>>>
>>> hive.server2.enable.doAs:true
>>>
>>>
>>>
>>> hive version: 1.2.1
>>>
>>> Hadoop version: 2.7.3
>>>
>>>
>>>
>>> My understanding was only those users having write access to
>>> /user/hive/warehouse should be able to create the database. Please suggest.
>>>
>>>
>>>
>>>
>>> I also found one similar question https://stackoverflow.com/ques
>>> tions/43734947/does-the-storage-based-authorization-or-sql-s
>>> tandards-based-hive-authorization-w?rq=1 where the default
>>> authorization is not working as expected.
>>>
>>>
>>>
>>> Request you to provide your inputs on the same.
>>>
>>>
>>> Thanks,
>>>
>>> Vijay
>>>
>>>
>>
>

Mime
View raw message