My use case requires different groups of users to have access to different databases and to be able to create only external tables for those databases. The default database must not be usable at all.
I am using storage based authorization on Hive 0.12.0.2.0.6.0. I have set the default database directory to permissions 000, which completely disables it. For all other databases, I have set them to permissions 220, since for some reason Hive requires a database directory to have "write" permission even when creating external tables in another location. Users who belong to the group that owns a specific database are able to create external tables in that database (because they have "write" permission). If they actually tried to create an internal table for the database, it would fail because it requires "execute" permission in addition to "write" permission. All of this works to satisfy my needs, so why am I writing this email? My concern is that I've discovered Hive's requirement for the database directory to have "write" permission on the database directory completely accidentally and have not found any documentation about this. This makes me think that it's a bug and might be fixed in a future version of Hive. If that happens, my set up above would no longer work. My questions are the following: 1) Is the requirement for the "write" permission the database when creating external tables, a feature or a bug? a) If it's a feature, can it be documented somewhere? b) If it's a bug that will be fixed, how will authorization work on databases for external tables, if there are no longer any requirements for the permission on the database? Thanks in advance, Alex.
