We are looking for database level access for user and group. A group of users should only have write access to a particular database and read access to some. They should not be able to create databases at there end.
I did tried sentry however facing some compatibility issues it seems. My hive version is 1.2.1 and Hadoop 2.7.3. I tried to build sentry 1.5.1 from github for the configuration mentioned however not able to build it successfully as its giving error for hdfs-name-node plugin. Will look at it in more details. Thanks for all your suggestions and help. Regards, Vijay On Wed, Nov 15, 2017 at 5:00 PM, Jörn Franke <[email protected]> wrote: > What kind of access do you need for a user? > > From a distance it is quiet difficult to judge, because we do not have all > information and the Kerberos setup can be rather tricky (if not using a > Hadoop distribution facilitating it). > > Usually fine granular access is supported by using Apache Ranger or Apache > Sentry. > > On 15. Nov 2017, at 12:19, Vijay Toshniwal <[email protected]> > wrote: > > Hi , > > As per the suggestion I did kerberized the cluster however getting the > same issue. Any user after authenticating using a keytab can go and create > databases. > > One thing I observer was the dfs.permissions.enabled in hdfs-site.xml set > to false. After setting it to true a user with required privilege on the > warehouse dir was only able to create database. However that works without > even enabling the hive storage based authorization. So not sure how hive > storage base authorization will provided additional security. Definitely I > am missing something. > > Please suggest. > > Thanks, > Vijay > > On Thu, Nov 9, 2017 at 1:55 PM, Jörn Franke <[email protected]> wrote: > >> Then you need to kerberize it to support what you want >> >> On 9. Nov 2017, at 09:18, Vijay Toshniwal <[email protected]> >> wrote: >> >> No its not. >> >> Thanks, >> Vijay >> >> On Thu, Nov 9, 2017 at 1:09 PM, Jörn Franke <[email protected]> wrote: >> >>> Is your Hadoop cluster kerberized? >>> >>> On 9. Nov 2017, at 06:57, Vijay Toshniwal <[email protected]> >>> wrote: >>> >>> Hi Team, >>> >>> >>> >>> I am facing issues while configuring hive storage based authorization. I >>> followed the steps mentioned in https://cwiki.apache.org/confl >>> uence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server >>> however still any user can create database in hive (using beeline and cli) >>> at will though not able to delete other users databases. My hive directory >>> permission is set to 770 (hive:hadoop).Below are the parameters that I >>> added to hive-site.xml: >>> >>> >>> >>> hive.metastore.pre.event.listeners: org.apache.hadoop.hive.ql.secu >>> rity.authorization.AuthorizationPreEventListener >>> >>> hive.security.metastore.authorization.auth.reads: true >>> >>> hive.security.metastore.authenticator.manager:org.apache.had >>> oop.hive.ql.security.HadoopDefaultMetastoreAuthenticator >>> >>> hive.security.metastore.authorization.manager: >>> org.apache.hadoop.hive.ql.security.authorization.StorageBase >>> dAuthorizationProvider >>> >>> hive.metastore.execute.setugi: true >>> >>> hive.server2.enable.doAs:true >>> >>> >>> >>> hive version: 1.2.1 >>> >>> Hadoop version: 2.7.3 >>> >>> >>> >>> My understanding was only those users having write access to >>> /user/hive/warehouse should be able to create the database. Please suggest. >>> >>> >>> >>> >>> I also found one similar question https://stackoverflow.com/ques >>> tions/43734947/does-the-storage-based-authorization-or-sql-s >>> tandards-based-hive-authorization-w?rq=1 where the default >>> authorization is not working as expected. >>> >>> >>> >>> Request you to provide your inputs on the same. >>> >>> >>> Thanks, >>> >>> Vijay >>> >>> >> >
