Hi , As per the suggestion I did kerberized the cluster however getting the same issue. Any user after authenticating using a keytab can go and create databases.
One thing I observer was the dfs.permissions.enabled in hdfs-site.xml set to false. After setting it to true a user with required privilege on the warehouse dir was only able to create database. However that works without even enabling the hive storage based authorization. So not sure how hive storage base authorization will provided additional security. Definitely I am missing something. Please suggest. Thanks, Vijay On Thu, Nov 9, 2017 at 1:55 PM, Jörn Franke <jornfra...@gmail.com> wrote: > Then you need to kerberize it to support what you want > > On 9. Nov 2017, at 09:18, Vijay Toshniwal <vijay.toshni...@gmail.com> > wrote: > > No its not. > > Thanks, > Vijay > > On Thu, Nov 9, 2017 at 1:09 PM, Jörn Franke <jornfra...@gmail.com> wrote: > >> Is your Hadoop cluster kerberized? >> >> On 9. Nov 2017, at 06:57, Vijay Toshniwal <vijay.toshni...@gmail.com> >> wrote: >> >> Hi Team, >> >> >> >> I am facing issues while configuring hive storage based authorization. I >> followed the steps mentioned in https://cwiki.apache.org/confl >> uence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server >> however still any user can create database in hive (using beeline and cli) >> at will though not able to delete other users databases. My hive directory >> permission is set to 770 (hive:hadoop).Below are the parameters that I >> added to hive-site.xml: >> >> >> >> hive.metastore.pre.event.listeners: org.apache.hadoop.hive.ql.secu >> rity.authorization.AuthorizationPreEventListener >> >> hive.security.metastore.authorization.auth.reads: true >> >> hive.security.metastore.authenticator.manager:org.apache.had >> oop.hive.ql.security.HadoopDefaultMetastoreAuthenticator >> >> hive.security.metastore.authorization.manager: >> org.apache.hadoop.hive.ql.security.authorization.StorageBase >> dAuthorizationProvider >> >> hive.metastore.execute.setugi: true >> >> hive.server2.enable.doAs:true >> >> >> >> hive version: 1.2.1 >> >> Hadoop version: 2.7.3 >> >> >> >> My understanding was only those users having write access to >> /user/hive/warehouse should be able to create the database. Please suggest. >> >> >> >> >> I also found one similar question https://stackoverflow.com/ques >> tions/43734947/does-the-storage-based-authorization-or-sql-s >> tandards-based-hive-authorization-w?rq=1 where the default authorization >> is not working as expected. >> >> >> >> Request you to provide your inputs on the same. >> >> >> Thanks, >> >> Vijay >> >> >
