Storage-based authorization

You can use storage-based authorization with impersonation to better secure metadata when multiple clients access the Hive metastore.

When the metastore server security is configured to use storage-based authorization, it uses the file system permissions for folders corresponding to the different metadata objects as the source of verification for the authorization policy. Storage-based authorization is not enabled by default on CDP 7.1.3.

Configuring parameters for storage-based authorization

  1. To enable storage-based authorization in the Hive metastore, configure the following properties in Cloudera Manager, under Hive Service Advanced Configuration Snippet (Safety Valve) for hive-site.xml:
    Configuration parameter Description
    hive.metastore.pre.event.listeners This parameter enables metastore-side security. Set to Set to When this parameter is set to true (the default), Hive metastore authorization also checks for read access. This parameter tells Hive which metastore-side authorization provider to use. The default setting uses DefaultHiveMetastoreAuthorizationProvider, which implements the standard Hive grant or revoke model. Set to
  2. Click Save.
  3. Restart all stale services.