What kind of access do you need for a user? From a distance it is quiet difficult to judge, because we do not have all information and the Kerberos setup can be rather tricky (if not using a Hadoop distribution facilitating it).
Usually fine granular access is supported by using Apache Ranger or Apache Sentry. > On 15. Nov 2017, at 12:19, Vijay Toshniwal <[email protected]> wrote: > > Hi , > > As per the suggestion I did kerberized the cluster however getting the same > issue. Any user after authenticating using a keytab can go and create > databases. > > One thing I observer was the dfs.permissions.enabled in hdfs-site.xml set to > false. After setting it to true a user with required privilege on the > warehouse dir was only able to create database. However that works without > even enabling the hive storage based authorization. So not sure how hive > storage base authorization will provided additional security. Definitely I am > missing something. > > Please suggest. > > Thanks, > Vijay > >> On Thu, Nov 9, 2017 at 1:55 PM, Jörn Franke <[email protected]> wrote: >> Then you need to kerberize it to support what you want >> >>> On 9. Nov 2017, at 09:18, Vijay Toshniwal <[email protected]> wrote: >>> >>> No its not. >>> >>> Thanks, >>> Vijay >>> >>>> On Thu, Nov 9, 2017 at 1:09 PM, Jörn Franke <[email protected]> wrote: >>>> Is your Hadoop cluster kerberized? >>>> >>>>> On 9. Nov 2017, at 06:57, Vijay Toshniwal <[email protected]> >>>>> wrote: >>>>> >>>>> Hi Team, >>>>> >>>>> >>>>> >>>>> I am facing issues while configuring hive storage based authorization. I >>>>> followed the steps mentioned in >>>>> https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server >>>>> however still any user can create database in hive (using beeline and >>>>> cli) at will though not able to delete other users databases. My hive >>>>> directory permission is set to 770 (hive:hadoop).Below are the parameters >>>>> that I added to hive-site.xml: >>>>> >>>>> >>>>> >>>>> hive.metastore.pre.event.listeners: >>>>> org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener >>>>> >>>>> hive.security.metastore.authorization.auth.reads: true >>>>> >>>>> hive.security.metastore.authenticator.manager:org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator >>>>> >>>>> hive.security.metastore.authorization.manager: >>>>> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider >>>>> >>>>> hive.metastore.execute.setugi: true >>>>> >>>>> hive.server2.enable.doAs:true >>>>> >>>>> >>>>> >>>>> hive version: 1.2.1 >>>>> >>>>> Hadoop version: 2.7.3 >>>>> >>>>> >>>>> >>>>> My understanding was only those users having write access to >>>>> /user/hive/warehouse should be able to create the database. Please >>>>> suggest. >>>>> >>>>> >>>>> >>>>> >>>>> I also found one similar question >>>>> https://stackoverflow.com/questions/43734947/does-the-storage-based-authorization-or-sql-standards-based-hive-authorization-w?rq=1 >>>>> where the default authorization is not working as expected. >>>>> >>>>> Request you to provide your inputs on the same. >>>>> >>>>> Thanks, >>>>> Vijay >>> >
