Storage-based authorization

You can use storage-based authorization with impersonation to better secure metadata when multiple clients access the Hive metastore.

When the metastore server security is configured to use storage-based authorization, it uses the file system permissions for folders corresponding to the different metadata objects as the source of verification for the authorization policy. Storage-based authorization is not enabled by default on CDP 7.1.3.

Configuring parameters for storage-based authorization

1. To enable storage-based authorization in the Hive metastore, configure the following properties in Cloudera Manager, under Hive Service Advanced Configuration Snippet (Safety Valve) for hive-site.xml:

   Configuration parameter	Description
   hive.metastore.pre.event.listeners	This parameter enables metastore-side security. Set to org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
   hive.security.metastore.authenticator.manager	Set to org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
   hive.security.metastore.authorization.auth.reads	When this parameter is set to true (the default), Hive metastore authorization also checks for read access.
   hive.security.metastore.authorization.manager	This parameter tells Hive which metastore-side authorization provider to use. The default setting uses DefaultHiveMetastoreAuthorizationProvider, which implements the standard Hive grant or revoke model. Set to org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider

2. Click Save.
3. Restart all stale services.