Re:Issues with hive storage based authorization

[游垂凯]

Vijay:
      
您好，那个官网配置是有效的，我自己已经在生产中使用了那个权限管理，你在做完相应的hive-site.xml配置后，需要重启下将这些配置分发到各个客户端。同时使用grant语句进行赋予权限。采用组及角色概念操作。
     为了使用hive安全认证，必须将如下两个参数加载至hive-site.xml配置中。
<property>  <name>hive.security.authorization.enabled</name>  
<value>true</value>  <description>enable or disable the hive client 
authorization</description></property><property>  
<name>hive.security.authorization.createtable.owner.grants</name>  
<value>ALL</value>  <description>the privileges automatically granted to the 
owner whenever a table gets created.    An example like "select,drop" will 
grant select and drop privilege to the owner of the 
table</description></property>
提醒：默认的hive.security.authorization.createtable.owner.grants参数设置为null，这个会导致创建者无法使用自己创建的表。
      之前我是在cloudera中hive使用成功。上线权限文档如下：
http://note.youdao.com/noteshare?id=e8e748be14172bde09ece0e3b2fed825&sub=9E81C540D1084DC1A684EE58B0C9FC7E


希望能够帮助到你！
                                                                                
                                                 wmky_kk



在 2017-11-09 13:57:03，"Vijay Toshniwal" <vijay.toshni...@gmail.com> 写道：


Hi Team,

 

I am facing issues while configuring hive storage based authorization. I 
followed the steps mentioned in 
https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server
 however still any user can create database in hive (using beeline and cli) at 
will though not able to delete other users databases. My hive directory 
permission is set to 770 (hive:hadoop).Below are the parameters that I added to 
hive-site.xml:

 

hive.metastore.pre.event.listeners: 
org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener

hive.security.metastore.authorization.auth.reads: true

hive.security.metastore.authenticator.manager:org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator

hive.security.metastore.authorization.manager: 
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider

hive.metastore.execute.setugi: true

hive.server2.enable.doAs:true

 

hive version: 1.2.1

Hadoop version: 2.7.3

 

My understanding was only those users having write access to 
/user/hive/warehouse should be able to create the database. Please suggest.

 




I also found one similar question 
https://stackoverflow.com/questions/43734947/does-the-storage-based-authorization-or-sql-standards-based-hive-authorization-w?rq=1
 where the default authorization is not working as expected.

 

Request you to provide your inputs on the same.




Thanks,

Vijay