Storage-Based Authorization

One of the available Authorization methods for HIVE

When the metastore server security is configured to use Storage-Based Authorization, it uses the file system permissions for folders corresponding to the different metadata objects as the source of verification for the authorization policy. Using this authorization method is recommended in the metastore server.

In Hive, there is a corresponding directory to a database or table for each file system that is used for storage. Using this authorization model, the read/write permissions for this directory also determines the permissions a user, or group, will have to the database or table.

As of Hive 0.14, Storage-Based Authorization is able to give read privileges on databases and tables. The get_database api call needs the permissions to read database directories. The get_table_* call grabs table information and the get_partition_* call lists the partitions of table, both of which need read permissions for the table directory. This is enabled by default with Storage-Based Authorization.


Configuring Parameters for Storage-Based Authorization

  1. To enable storage-based authorization in the Hive metastore, configure these properties in the Hive Configs tab, by typing each property name in the Filter and modifying the value as described:
    Configuration Parameter Description
    hive.metastore.pre.event.listeners This parameter enables metastore security. Set to org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
    hive.security.metastore.authenticator.manager Set to org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
    hive.security.metastore.authorization.auth.reads When this parameter is set to TRUE, Hive metastore authorization checks for read access. By default, this is set to TRUE.
    hive.security.metastore.authorization.manager A comma-separated list of the names of authorization manager classes that are to be used in the metastore for authorization. Set to org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider
    hive.server2.enable.doAs The value controls whether the queries are run as the service user id of HiverServer2 (false) or as the user who submitted the query (true).
    hive.security.authorization.enabled Enables or disables authorization. In the Advanced hiveserver-site section, change the value to true to enable authorization for HiveServer2. In the General section, set this value to false.
    hive.security.authorization.manager The class name of the Hive client authorization manager. For storage-based authorization, specify the value org.apache.hadoop.hive.ql.security. authorization.StorageBasedAuthorizationProvider.
  2. Click Save. In the Save Configuration confirmation window, click Save. Then click OK when the system returns the information window that changes were saved.
  3. The Ambari dashboard indicates that a restart is required. Click Restart > Restart All Affected . Then click Confirm Restart All.

Minimum Permissions

The following table shows the minimum permissions required for HIVE when using Storage-Based Authorization:

Operation Permission required
Alter Table Table write access
Create Table Database write access
Create Table as Select Database write access and table read access to the source table
Drop Table Database write access
Export Table read access
Import Table write access
Load Table write access
Select Table read access
Show Tables Database read access

Creating New Tables or Databases

To create tables or databases with the necessary permissions, two methods are available to create these objects: Users can employ the Hive command line to create the table/database and then change the permissions using a file-system operation, or use HCatalog command line to create the table/database.

HCatalog command line tool uses the same syntax as Hive, and will create databases and tables with corresponding directories owned by the user who created them.