Re: Is there a way to create user account and grant read only permissions?
Thanks KS and others for thoughts and ideas. I found an ok alternative may benefit others in the same situation. The reason for users account is mainly for business users. HUE is the GUI interface we deployed for non-technical users. User need account to access HUE which is the gateway for HIVE. It's not a perfect solution because user still can drop any table. Maybe can tighten the hdfs file permission with read-only. Need to test on that. -Patrick From: Bejoy KS mailto:bejoy...@yahoo.com>> Reply-To: "user@hive.apache.org<mailto:user@hive.apache.org>" mailto:user@hive.apache.org>>, "bejoy...@yahoo.com<mailto:bejoy...@yahoo.com>" mailto:bejoy...@yahoo.com>> Date: Friday, May 18, 2012 9:08 PM To: "user@hive.apache.org<mailto:user@hive.apache.org>" mailto:user@hive.apache.org>> Subject: Re: Is there a way to create user account and grant read only permissions? Hi patrick The Authorization mechanisms in hive are not as solid as other RDBMS. A user can grant himself rights and can then drop a table or do whatever operations he likes to do. There is no super user(admin) and sub user concept in hive yet, but the community is having plans to implement that in future with strong Authorization mechanisms. Saying this if the business users are guaranteed not to play with GRANT statements or rather not change permissions themselves, (But it is hard to guarantee this when the no of users are large :) ) hive can satisfy your requirement. Regards Bejoy KS Sent from handheld, please excuse typos. From: "Raghunath, Ranjith" mailto:ranjith.raghuna...@usaa.com>> Date: Sat, 19 May 2012 00:54:36 + To: user@hive.apache.org<mailto:user@hive.apache.org>mailto:user@hive.apache.org>> ReplyTo: user@hive.apache.org<mailto:user@hive.apache.org> Subject: RE: Is there a way to create user account and grant read only permissions? Take a look at this, https://cwiki.apache.org/Hive/languagemanual-auth.html. This may be what you are looking for . From: shashwat shriparv [mailto:dwivedishash...@gmail.com] Sent: Friday, May 18, 2012 3:08 PM To: user@hive.apache.org<mailto:user@hive.apache.org> Subject: Re: Is there a way to create user account and grant read only permissions? Check out this https://ccp.cloudera.com/display/CDHDOC/Hive+Security+Configuration On Sat, May 19, 2012 at 12:17 AM, Patrick Luo mailto:l...@trulia.com>> wrote: My use case requires individual accounts for business users groups. Is there a way to mimic MySQL (or other database) to create users with read-only permissions? This avoid business user accidental table drop. Metastore has table ROLES but don’t see documentation on that. Much appreciated if anyone can point to the documentation or share your thoughts on this? - Patrick -- ∞ Shashwat Shriparv
Re: Is there a way to create user account and grant read only permissions?
How are others setting up hive for use in production? I guess my real question how are many of us getting around these security gaps? Thanks, Ranjith On May 19, 2012, at 12:05 AM, Bejoy Ks wrote: > Hi Ranjith > > AFAIK Segmenting tables into databases won't help much as, again the > Authorization issues would pop out. An user himself may be able to grant > rights to access another db. Different metastores is an option, but again > maintaining all of them is still a hassle, still you can do it. The fair > solution is only on its way. :) > > Regards > Bejoy > > From: Ranjith > To: "user@hive.apache.org" > Cc: "user@hive.apache.org" > Sent: Saturday, May 19, 2012 9:53 AM > Subject: Re: Is there a way to create user account and grant read only > permissions? > > Is separate metastores and separate hive servers the only way to go here? Or > can we segment tables into databases and then use hive authorization. > > Thanks, > Ranjith > > On May 18, 2012, at 11:08 PM, "Bejoy KS" wrote: > >> Hi patrick >> The Authorization mechanisms in hive are not as solid as other RDBMS. A user >> can grant himself rights and can then drop a table or do whatever operations >> he likes to do. There is no super user(admin) and sub user concept in hive >> yet, but the community is having plans to implement that in future with >> strong Authorization mechanisms. >> Saying this if the business users are guaranteed not to play with GRANT >> statements or rather not change permissions themselves, (But it is hard to >> guarantee this when the no of users are large :) ) hive can satisfy your >> requirement. >> Regards >> Bejoy KS >> >> Sent from handheld, please excuse typos. >> From: "Raghunath, Ranjith" >> Date: Sat, 19 May 2012 00:54:36 + >> To: user@hive.apache.org >> ReplyTo: user@hive.apache.org >> Subject: RE: Is there a way to create user account and grant read only >> permissions? >> >> Take a look at this, https://cwiki.apache.org/Hive/languagemanual-auth.html. >> This may be what you are looking for . >> >> From: shashwat shriparv [mailto:dwivedishash...@gmail.com] >> Sent: Friday, May 18, 2012 3:08 PM >> To: user@hive.apache.org >> Subject: Re: Is there a way to create user account and grant read only >> permissions? >> >> Check out this >> >> https://ccp.cloudera.com/display/CDHDOC/Hive+Security+Configuration >> On Sat, May 19, 2012 at 12:17 AM, Patrick Luo wrote: >> My use case requires individual accounts for business users groups. Is there >> a way to mimic MySQL (or other database) to create users with read-only >> permissions? This avoid business user accidental table drop. Metastore has >> table ROLES but don’t see documentation on that. Much appreciated if anyone >> can point to the documentation or share your thoughts on this? >> >> - Patrick >> >> >> >> >> >> -- >> >> ∞ >> Shashwat Shriparv >> >> > >
Re: Is there a way to create user account and grant read only permissions?
Hi Ranjith AFAIK Segmenting tables into databases won't help much as, again the Authorization issues would pop out. An user himself may be able to grant rights to access another db. Different metastores is an option, but again maintaining all of them is still a hassle, still you can do it. The fair solution is only on its way. :) Regards Bejoy From: Ranjith To: "user@hive.apache.org" Cc: "user@hive.apache.org" Sent: Saturday, May 19, 2012 9:53 AM Subject: Re: Is there a way to create user account and grant read only permissions? Is separate metastores and separate hive servers the only way to go here? Or can we segment tables into databases and then use hive authorization. Thanks, Ranjith On May 18, 2012, at 11:08 PM, "Bejoy KS" wrote: Hi patrick >The Authorization mechanisms in hive are not as solid as other RDBMS. A user >can grant himself rights and can then drop a table or do whatever operations >he likes to do. There is no super user(admin) and sub user concept in hive >yet, but the community is having plans to implement that in future with strong >Authorization mechanisms. >Saying this if the business users are guaranteed not to play with GRANT >statements or rather not change permissions themselves, (But it is hard to >guarantee this when the no of users are large :) ) hive can satisfy your >requirement. > >Regards >Bejoy KS > >Sent from handheld, please excuse typos. > > >From: "Raghunath, Ranjith" >Date: Sat, 19 May 2012 00:54:36 +0000 >To: user@hive.apache.org >ReplyTo: user@hive.apache.org >Subject: RE: Is there a way to create user account and grant read only >permissions? > > >Take a look at this, https://cwiki.apache.org/Hive/languagemanual-auth.html. >This may be what you are looking for . > >From:shashwat shriparv [mailto:dwivedishash...@gmail.com] >Sent: Friday, May 18, 2012 3:08 PM >To: user@hive.apache.org >Subject: Re: Is there a way to create user account and grant read only >permissions? > >Check out this > >https://ccp.cloudera.com/display/CDHDOC/Hive+Security+Configuration >On Sat, May 19, 2012 at 12:17 AM, Patrick Luo wrote: >My use case requires individual accounts for business users groups. Is there a >way to mimic MySQL (or other database) to create users with read-only >permissions? This avoid business user accidental table drop. Metastore has >table ROLES but don’t see documentation on that. Much appreciated if anyone >can point to the documentation or share your thoughts on this? > >- Patrick > > > > > > >-- > >∞ >Shashwat Shriparv > >
Re: Is there a way to create user account and grant read only permissions?
Is separate metastores and separate hive servers the only way to go here? Or can we segment tables into databases and then use hive authorization. Thanks, Ranjith On May 18, 2012, at 11:08 PM, "Bejoy KS" wrote: > Hi patrick > The Authorization mechanisms in hive are not as solid as other RDBMS. A user > can grant himself rights and can then drop a table or do whatever operations > he likes to do. There is no super user(admin) and sub user concept in hive > yet, but the community is having plans to implement that in future with > strong Authorization mechanisms. > Saying this if the business users are guaranteed not to play with GRANT > statements or rather not change permissions themselves, (But it is hard to > guarantee this when the no of users are large :) ) hive can satisfy your > requirement. > Regards > Bejoy KS > > Sent from handheld, please excuse typos. > From: "Raghunath, Ranjith" > Date: Sat, 19 May 2012 00:54:36 + > To: user@hive.apache.org > ReplyTo: user@hive.apache.org > Subject: RE: Is there a way to create user account and grant read only > permissions? > > Take a look at this, https://cwiki.apache.org/Hive/languagemanual-auth.html. > This may be what you are looking for . > > From: shashwat shriparv [mailto:dwivedishash...@gmail.com] > Sent: Friday, May 18, 2012 3:08 PM > To: user@hive.apache.org > Subject: Re: Is there a way to create user account and grant read only > permissions? > > Check out this > > https://ccp.cloudera.com/display/CDHDOC/Hive+Security+Configuration > > On Sat, May 19, 2012 at 12:17 AM, Patrick Luo wrote: > My use case requires individual accounts for business users groups. Is there > a way to mimic MySQL (or other database) to create users with read-only > permissions? This avoid business user accidental table drop. Metastore has > table ROLES but don’t see documentation on that. Much appreciated if anyone > can point to the documentation or share your thoughts on this? > > - Patrick > > > > > > -- > > ∞ > Shashwat Shriparv > >
Re: Is there a way to create user account and grant read only permissions?
Hi patrick The Authorization mechanisms in hive are not as solid as other RDBMS. A user can grant himself rights and can then drop a table or do whatever operations he likes to do. There is no super user(admin) and sub user concept in hive yet, but the community is having plans to implement that in future with strong Authorization mechanisms. Saying this if the business users are guaranteed not to play with GRANT statements or rather not change permissions themselves, (But it is hard to guarantee this when the no of users are large :) ) hive can satisfy your requirement. Regards Bejoy KS Sent from handheld, please excuse typos. -Original Message- From: "Raghunath, Ranjith" Date: Sat, 19 May 2012 00:54:36 To: user@hive.apache.org Reply-To: user@hive.apache.org Subject: RE: Is there a way to create user account and grant read only permissions? Take a look at this, https://cwiki.apache.org/Hive/languagemanual-auth.html. This may be what you are looking for . From: shashwat shriparv [mailto:dwivedishash...@gmail.com] Sent: Friday, May 18, 2012 3:08 PM To: user@hive.apache.org Subject: Re: Is there a way to create user account and grant read only permissions? Check out this https://ccp.cloudera.com/display/CDHDOC/Hive+Security+Configuration On Sat, May 19, 2012 at 12:17 AM, Patrick Luo mailto:l...@trulia.com>> wrote: My use case requires individual accounts for business users groups. Is there a way to mimic MySQL (or other database) to create users with read-only permissions? This avoid business user accidental table drop. Metastore has table ROLES but don’t see documentation on that. Much appreciated if anyone can point to the documentation or share your thoughts on this? - Patrick -- ∞ Shashwat Shriparv
RE: Is there a way to create user account and grant read only permissions?
Take a look at this, https://cwiki.apache.org/Hive/languagemanual-auth.html. This may be what you are looking for . From: shashwat shriparv [mailto:dwivedishash...@gmail.com] Sent: Friday, May 18, 2012 3:08 PM To: user@hive.apache.org Subject: Re: Is there a way to create user account and grant read only permissions? Check out this https://ccp.cloudera.com/display/CDHDOC/Hive+Security+Configuration On Sat, May 19, 2012 at 12:17 AM, Patrick Luo mailto:l...@trulia.com>> wrote: My use case requires individual accounts for business users groups. Is there a way to mimic MySQL (or other database) to create users with read-only permissions? This avoid business user accidental table drop. Metastore has table ROLES but don’t see documentation on that. Much appreciated if anyone can point to the documentation or share your thoughts on this? - Patrick -- ∞ Shashwat Shriparv
Re: Is there a way to create user account and grant read only permissions?
Check out this https://ccp.cloudera.com/display/CDHDOC/Hive+Security+Configuration On Sat, May 19, 2012 at 12:17 AM, Patrick Luo wrote: > My use case requires individual accounts for business users groups. Is > there a way to mimic MySQL (or other database) to create users with > read-only permissions? This avoid business user accidental table drop. > Metastore has table ROLES but don’t see documentation on that. Much > appreciated if anyone can point to the documentation or share your thoughts > on this? > > - Patrick > > > -- ∞ Shashwat Shriparv