How to prevent user drop table in Hive metadata?

[Echo Li <ec...@gmail.com>]

Good Friday!

I was trying to apply certain level of security in our hive data warehouse,
by modifying access mode of directories and files on hdfs to 755 I think
it's good enough for a new user to remove data, however the user still can
drop the table definition in hive cli, seems the "revoke" doesn't help
much, is there any way to prevent this?


Thanks,
Echo

Re: How to prevent user drop table in Hive metadata?

[Nitin Pawar <ni...@gmail.com>]

So, If I get it right

you are looking for role level authorizations?
like what all a user can do and what it can not do?




On Sat, Nov 23, 2013 at 1:15 AM, Biswajit Nayak
<bi...@inmobi.com>wrote:

> Hi Echo,
>
> I dont think there is any to prevent this. I had the same concern in
> hbase, but found out that it is assumed that user using the system are very
> much aware of it.  I am into hive from last 3 months, was looking for some
> kind of way here, but no luck till now..
>
> Thanks
> Biswa
> On 23 Nov 2013 01:06, "Echo Li" <ec...@gmail.com> wrote:
>
>> Good Friday!
>>
>> I was trying to apply certain level of security in our hive data
>> warehouse, by modifying access mode of directories and files on hdfs to 755
>> I think it's good enough for a new user to remove data, however the user
>> still can drop the table definition in hive cli, seems the "revoke" doesn't
>> help much, is there any way to prevent this?
>>
>>
>> Thanks,
>> Echo
>>
>
> _____________________________________________________________
> The information contained in this communication is intended solely for the
> use of the individual or entity to whom it is addressed and others
> authorized to receive it. It may contain confidential or legally privileged
> information. If you are not the intended recipient you are hereby notified
> that any disclosure, copying, distribution or taking any action in reliance
> on the contents of this information is strictly prohibited and may be
> unlawful. If you have received this communication in error, please notify
> us immediately by responding to this email and then delete it from your
> system. The firm is neither liable for the proper and complete transmission
> of the information contained in this communication nor for any delay in its
> receipt.




-- 
Nitin Pawar

Re: How to prevent user drop table in Hive metadata?

[Sanjay Subramanian <sa...@yahoo.com>]

Cloudera Sentry is awesome and I have implemented this in Cloudera manager 4.7.2 CDH 4.4.0. Thanks again to shreepadma for all answers to my questions on the CDH users group. I can provide guidance on Sentry configs if needed. 

Sent from my iPhone

> On Nov 22, 2013, at 4:25 PM, Shreepadma Venugopalan <sh...@cloudera.com> wrote:
> 
> Apache Sentry is already available and made its first incubating release a couple of months back. 
> 
> 
>> On Fri, Nov 22, 2013 at 3:06 PM, Echo Li <ec...@gmail.com> wrote:
>> Thanks all, that's all very helpful information.
>> 
>> Shreepadma, when will the Apache Sentry come GA?
>> 
>> 
>>> On Fri, Nov 22, 2013 at 2:36 PM, Shreepadma Venugopalan <sh...@apache.org> wrote:
>>> Apache Sentry (incubating) provides fine-grained role-based authorization for Hive among other components of the Hadoop ecosystem. It currently supports fully secure, fine-grained, role-based authorization for Hive and can be used to prevent the scenario described earlier i.e., prevent a user from dropping a table the user shouldn't be allowed to drop.
>>> 
>>> Shreepadma
>>> 
>>> 
>>>> On Fri, Nov 22, 2013 at 12:55 PM, <si...@bt.com> wrote:
>>>> Thanks Alan - I'll fwd the spec in the Jira to some of our security and integrity people for comment.
>>>> 
>>>> Simon
>>>> ----
>>>> Dr. Simon Thompson
>>>> 
>>>> ________________________________________
>>>> From: Alan Gates [gates@hortonworks.com]
>>>> Sent: 22 November 2013 20:53
>>>> To: user@hive.apache.org
>>>> Subject: Re: How to prevent user drop table in Hive metadata?
>>>> 
>>>> See https://issues.apache.org/jira/browse/HIVE-5837 for a JIRA addressing this.
>>>> 
>>>> Also, you can use the StorageBasedAuthorizationProvider in Hive, which bases metadata security on file security.  So if the user doesn't have permissions to remove the directory that stores the table data, they won't have permissions to drop the table.  This isn't perfect, but it's a start.
>>>> 
>>>> Alan.
>>>> 
>>>> On Nov 22, 2013, at 11:49 AM, <si...@bt.com> <si...@bt.com> wrote:
>>>> 
>>>> > Has no one raised a Jira ticket ?
>>>> >
>>>> > ----
>>>> > Dr. Simon Thompson
>>>> >
>>>> > ________________________________________
>>>> > From: Biswajit Nayak [biswajit.nayak@inmobi.com]
>>>> > Sent: 22 November 2013 19:45
>>>> > To: user@hive.apache.org
>>>> > Subject: Re: How to prevent user drop table in Hive metadata?
>>>> >
>>>> > Hi Echo,
>>>> >
>>>> > I dont think there is any to prevent this. I had the same concern in hbase, but found out that it is assumed that user using the system are very much aware of it.  I am into hive from last 3 months, was looking for some kind of way here, but no luck till now..
>>>> >
>>>> > Thanks
>>>> > Biswa
>>>> >
>>>> > On 23 Nov 2013 01:06, "Echo Li" <ec...@gmail.com>> wrote:
>>>> > Good Friday!
>>>> >
>>>> > I was trying to apply certain level of security in our hive data warehouse, by modifying access mode of directories and files on hdfs to 755 I think it's good enough for a new user to remove data, however the user still can drop the table definition in hive cli, seems the "revoke" doesn't help much, is there any way to prevent this?
>>>> >
>>>> >
>>>> > Thanks,
>>>> > Echo
>>>> >
>>>> > _____________________________________________________________
>>>> > The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. The firm is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
>>>> 
>>>> 
>>>> --
>>>> CONFIDENTIALITY NOTICE
>>>> NOTICE: This message is intended for the use of the individual or entity to
>>>> which it is addressed and may contain information that is confidential,
>>>> privileged and exempt from disclosure under applicable law. If the reader
>>>> of this message is not the intended recipient, you are hereby notified that
>>>> any printing, copying, dissemination, distribution, disclosure or
>>>> forwarding of this communication is strictly prohibited. If you have
>>>> received this communication in error, please contact the sender immediately
>>>> and delete it from your system. Thank You.
> 

Re: How to prevent user drop table in Hive metadata?

[Shreepadma Venugopalan <sh...@cloudera.com>]

Apache Sentry is already available and made its first incubating release a
couple of months back.


On Fri, Nov 22, 2013 at 3:06 PM, Echo Li <ec...@gmail.com> wrote:

> Thanks all, that's all very helpful information.
>
> Shreepadma, when will the Apache Sentry come GA?
>
>
> On Fri, Nov 22, 2013 at 2:36 PM, Shreepadma Venugopalan <
> shreepadma@apache.org> wrote:
>
>> Apache Sentry (incubating) provides fine-grained role-based authorization
>> for Hive among other components of the Hadoop ecosystem. It currently
>> supports fully secure, fine-grained, role-based authorization for Hive and
>> can be used to prevent the scenario described earlier i.e., prevent a user
>> from dropping a table the user shouldn't be allowed to drop.
>>
>> Shreepadma
>>
>>
>> On Fri, Nov 22, 2013 at 12:55 PM, <si...@bt.com> wrote:
>>
>>> Thanks Alan - I'll fwd the spec in the Jira to some of our security and
>>> integrity people for comment.
>>>
>>> Simon
>>> ----
>>> Dr. Simon Thompson
>>>
>>> ________________________________________
>>> From: Alan Gates [gates@hortonworks.com]
>>> Sent: 22 November 2013 20:53
>>> To: user@hive.apache.org
>>> Subject: Re: How to prevent user drop table in Hive metadata?
>>>
>>> See https://issues.apache.org/jira/browse/HIVE-5837 for a JIRA
>>> addressing this.
>>>
>>> Also, you can use the StorageBasedAuthorizationProvider in Hive, which
>>> bases metadata security on file security.  So if the user doesn't have
>>> permissions to remove the directory that stores the table data, they won't
>>> have permissions to drop the table.  This isn't perfect, but it's a start.
>>>
>>> Alan.
>>>
>>> On Nov 22, 2013, at 11:49 AM, <si...@bt.com> <
>>> simon.2.thompson@bt.com> wrote:
>>>
>>> > Has no one raised a Jira ticket ?
>>> >
>>> > ----
>>> > Dr. Simon Thompson
>>> >
>>> > ________________________________________
>>> > From: Biswajit Nayak [biswajit.nayak@inmobi.com]
>>> > Sent: 22 November 2013 19:45
>>> > To: user@hive.apache.org
>>> > Subject: Re: How to prevent user drop table in Hive metadata?
>>> >
>>> > Hi Echo,
>>> >
>>> > I dont think there is any to prevent this. I had the same concern in
>>> hbase, but found out that it is assumed that user using the system are very
>>> much aware of it.  I am into hive from last 3 months, was looking for some
>>> kind of way here, but no luck till now..
>>> >
>>> > Thanks
>>> > Biswa
>>> >
>>> > On 23 Nov 2013 01:06, "Echo Li" <echolql@gmail.com<mailto:
>>> echolql@gmail.com>> wrote:
>>> > Good Friday!
>>> >
>>> > I was trying to apply certain level of security in our hive data
>>> warehouse, by modifying access mode of directories and files on hdfs to 755
>>> I think it's good enough for a new user to remove data, however the user
>>> still can drop the table definition in hive cli, seems the "revoke" doesn't
>>> help much, is there any way to prevent this?
>>> >
>>> >
>>> > Thanks,
>>> > Echo
>>> >
>>> > _____________________________________________________________
>>> > The information contained in this communication is intended solely for
>>> the use of the individual or entity to whom it is addressed and others
>>> authorized to receive it. It may contain confidential or legally privileged
>>> information. If you are not the intended recipient you are hereby notified
>>> that any disclosure, copying, distribution or taking any action in reliance
>>> on the contents of this information is strictly prohibited and may be
>>> unlawful. If you have received this communication in error, please notify
>>> us immediately by responding to this email and then delete it from your
>>> system. The firm is neither liable for the proper and complete transmission
>>> of the information contained in this communication nor for any delay in its
>>> receipt.
>>>
>>>
>>> --
>>> CONFIDENTIALITY NOTICE
>>> NOTICE: This message is intended for the use of the individual or entity
>>> to
>>> which it is addressed and may contain information that is confidential,
>>> privileged and exempt from disclosure under applicable law. If the reader
>>> of this message is not the intended recipient, you are hereby notified
>>> that
>>> any printing, copying, dissemination, distribution, disclosure or
>>> forwarding of this communication is strictly prohibited. If you have
>>> received this communication in error, please contact the sender
>>> immediately
>>> and delete it from your system. Thank You.
>>>
>>
>>
>

Re: How to prevent user drop table in Hive metadata?

[Xiu Guo <xg...@gmail.com>]

Does something like this not do the job?

<property>
  <name>hive.security.authorization.createtable.user.grants</name>
  <value>user1:select;user2:create</value>
</property>

I thought tweaking hive-site.xml would be fine.


On Fri, Nov 22, 2013 at 3:06 PM, Echo Li <ec...@gmail.com> wrote:

> Thanks all, that's all very helpful information.
>
> Shreepadma, when will the Apache Sentry come GA?
>
>
> On Fri, Nov 22, 2013 at 2:36 PM, Shreepadma Venugopalan <
> shreepadma@apache.org> wrote:
>
>> Apache Sentry (incubating) provides fine-grained role-based authorization
>> for Hive among other components of the Hadoop ecosystem. It currently
>> supports fully secure, fine-grained, role-based authorization for Hive and
>> can be used to prevent the scenario described earlier i.e., prevent a user
>> from dropping a table the user shouldn't be allowed to drop.
>>
>> Shreepadma
>>
>>
>> On Fri, Nov 22, 2013 at 12:55 PM, <si...@bt.com> wrote:
>>
>>> Thanks Alan - I'll fwd the spec in the Jira to some of our security and
>>> integrity people for comment.
>>>
>>> Simon
>>> ----
>>> Dr. Simon Thompson
>>>
>>> ________________________________________
>>> From: Alan Gates [gates@hortonworks.com]
>>> Sent: 22 November 2013 20:53
>>> To: user@hive.apache.org
>>> Subject: Re: How to prevent user drop table in Hive metadata?
>>>
>>> See https://issues.apache.org/jira/browse/HIVE-5837 for a JIRA
>>> addressing this.
>>>
>>> Also, you can use the StorageBasedAuthorizationProvider in Hive, which
>>> bases metadata security on file security.  So if the user doesn't have
>>> permissions to remove the directory that stores the table data, they won't
>>> have permissions to drop the table.  This isn't perfect, but it's a start.
>>>
>>> Alan.
>>>
>>> On Nov 22, 2013, at 11:49 AM, <si...@bt.com> <
>>> simon.2.thompson@bt.com> wrote:
>>>
>>> > Has no one raised a Jira ticket ?
>>> >
>>> > ----
>>> > Dr. Simon Thompson
>>> >
>>> > ________________________________________
>>> > From: Biswajit Nayak [biswajit.nayak@inmobi.com]
>>> > Sent: 22 November 2013 19:45
>>> > To: user@hive.apache.org
>>> > Subject: Re: How to prevent user drop table in Hive metadata?
>>> >
>>> > Hi Echo,
>>> >
>>> > I dont think there is any to prevent this. I had the same concern in
>>> hbase, but found out that it is assumed that user using the system are very
>>> much aware of it.  I am into hive from last 3 months, was looking for some
>>> kind of way here, but no luck till now..
>>> >
>>> > Thanks
>>> > Biswa
>>> >
>>> > On 23 Nov 2013 01:06, "Echo Li" <echolql@gmail.com<mailto:
>>> echolql@gmail.com>> wrote:
>>> > Good Friday!
>>> >
>>> > I was trying to apply certain level of security in our hive data
>>> warehouse, by modifying access mode of directories and files on hdfs to 755
>>> I think it's good enough for a new user to remove data, however the user
>>> still can drop the table definition in hive cli, seems the "revoke" doesn't
>>> help much, is there any way to prevent this?
>>> >
>>> >
>>> > Thanks,
>>> > Echo
>>> >
>>> > _____________________________________________________________
>>> > The information contained in this communication is intended solely for
>>> the use of the individual or entity to whom it is addressed and others
>>> authorized to receive it. It may contain confidential or legally privileged
>>> information. If you are not the intended recipient you are hereby notified
>>> that any disclosure, copying, distribution or taking any action in reliance
>>> on the contents of this information is strictly prohibited and may be
>>> unlawful. If you have received this communication in error, please notify
>>> us immediately by responding to this email and then delete it from your
>>> system. The firm is neither liable for the proper and complete transmission
>>> of the information contained in this communication nor for any delay in its
>>> receipt.
>>>
>>>
>>> --
>>> CONFIDENTIALITY NOTICE
>>> NOTICE: This message is intended for the use of the individual or entity
>>> to
>>> which it is addressed and may contain information that is confidential,
>>> privileged and exempt from disclosure under applicable law. If the reader
>>> of this message is not the intended recipient, you are hereby notified
>>> that
>>> any printing, copying, dissemination, distribution, disclosure or
>>> forwarding of this communication is strictly prohibited. If you have
>>> received this communication in error, please contact the sender
>>> immediately
>>> and delete it from your system. Thank You.
>>>
>>
>>
>

Re: How to prevent user drop table in Hive metadata?

[Echo Li <ec...@gmail.com>]

Thanks all, that's all very helpful information.

Shreepadma, when will the Apache Sentry come GA?


On Fri, Nov 22, 2013 at 2:36 PM, Shreepadma Venugopalan <
shreepadma@apache.org> wrote:

> Apache Sentry (incubating) provides fine-grained role-based authorization
> for Hive among other components of the Hadoop ecosystem. It currently
> supports fully secure, fine-grained, role-based authorization for Hive and
> can be used to prevent the scenario described earlier i.e., prevent a user
> from dropping a table the user shouldn't be allowed to drop.
>
> Shreepadma
>
>
> On Fri, Nov 22, 2013 at 12:55 PM, <si...@bt.com> wrote:
>
>> Thanks Alan - I'll fwd the spec in the Jira to some of our security and
>> integrity people for comment.
>>
>> Simon
>> ----
>> Dr. Simon Thompson
>>
>> ________________________________________
>> From: Alan Gates [gates@hortonworks.com]
>> Sent: 22 November 2013 20:53
>> To: user@hive.apache.org
>> Subject: Re: How to prevent user drop table in Hive metadata?
>>
>> See https://issues.apache.org/jira/browse/HIVE-5837 for a JIRA
>> addressing this.
>>
>> Also, you can use the StorageBasedAuthorizationProvider in Hive, which
>> bases metadata security on file security.  So if the user doesn't have
>> permissions to remove the directory that stores the table data, they won't
>> have permissions to drop the table.  This isn't perfect, but it's a start.
>>
>> Alan.
>>
>> On Nov 22, 2013, at 11:49 AM, <si...@bt.com> <
>> simon.2.thompson@bt.com> wrote:
>>
>> > Has no one raised a Jira ticket ?
>> >
>> > ----
>> > Dr. Simon Thompson
>> >
>> > ________________________________________
>> > From: Biswajit Nayak [biswajit.nayak@inmobi.com]
>> > Sent: 22 November 2013 19:45
>> > To: user@hive.apache.org
>> > Subject: Re: How to prevent user drop table in Hive metadata?
>> >
>> > Hi Echo,
>> >
>> > I dont think there is any to prevent this. I had the same concern in
>> hbase, but found out that it is assumed that user using the system are very
>> much aware of it.  I am into hive from last 3 months, was looking for some
>> kind of way here, but no luck till now..
>> >
>> > Thanks
>> > Biswa
>> >
>> > On 23 Nov 2013 01:06, "Echo Li" <echolql@gmail.com<mailto:
>> echolql@gmail.com>> wrote:
>> > Good Friday!
>> >
>> > I was trying to apply certain level of security in our hive data
>> warehouse, by modifying access mode of directories and files on hdfs to 755
>> I think it's good enough for a new user to remove data, however the user
>> still can drop the table definition in hive cli, seems the "revoke" doesn't
>> help much, is there any way to prevent this?
>> >
>> >
>> > Thanks,
>> > Echo
>> >
>> > _____________________________________________________________
>> > The information contained in this communication is intended solely for
>> the use of the individual or entity to whom it is addressed and others
>> authorized to receive it. It may contain confidential or legally privileged
>> information. If you are not the intended recipient you are hereby notified
>> that any disclosure, copying, distribution or taking any action in reliance
>> on the contents of this information is strictly prohibited and may be
>> unlawful. If you have received this communication in error, please notify
>> us immediately by responding to this email and then delete it from your
>> system. The firm is neither liable for the proper and complete transmission
>> of the information contained in this communication nor for any delay in its
>> receipt.
>>
>>
>> --
>> CONFIDENTIALITY NOTICE
>> NOTICE: This message is intended for the use of the individual or entity
>> to
>> which it is addressed and may contain information that is confidential,
>> privileged and exempt from disclosure under applicable law. If the reader
>> of this message is not the intended recipient, you are hereby notified
>> that
>> any printing, copying, dissemination, distribution, disclosure or
>> forwarding of this communication is strictly prohibited. If you have
>> received this communication in error, please contact the sender
>> immediately
>> and delete it from your system. Thank You.
>>
>
>

Re: How to prevent user drop table in Hive metadata?

[Shreepadma Venugopalan <sh...@apache.org>]

Apache Sentry (incubating) provides fine-grained role-based authorization
for Hive among other components of the Hadoop ecosystem. It currently
supports fully secure, fine-grained, role-based authorization for Hive and
can be used to prevent the scenario described earlier i.e., prevent a user
from dropping a table the user shouldn't be allowed to drop.

Shreepadma


On Fri, Nov 22, 2013 at 12:55 PM, <si...@bt.com> wrote:

> Thanks Alan - I'll fwd the spec in the Jira to some of our security and
> integrity people for comment.
>
> Simon
> ----
> Dr. Simon Thompson
>
> ________________________________________
> From: Alan Gates [gates@hortonworks.com]
> Sent: 22 November 2013 20:53
> To: user@hive.apache.org
> Subject: Re: How to prevent user drop table in Hive metadata?
>
> See https://issues.apache.org/jira/browse/HIVE-5837 for a JIRA addressing
> this.
>
> Also, you can use the StorageBasedAuthorizationProvider in Hive, which
> bases metadata security on file security.  So if the user doesn't have
> permissions to remove the directory that stores the table data, they won't
> have permissions to drop the table.  This isn't perfect, but it's a start.
>
> Alan.
>
> On Nov 22, 2013, at 11:49 AM, <si...@bt.com> <
> simon.2.thompson@bt.com> wrote:
>
> > Has no one raised a Jira ticket ?
> >
> > ----
> > Dr. Simon Thompson
> >
> > ________________________________________
> > From: Biswajit Nayak [biswajit.nayak@inmobi.com]
> > Sent: 22 November 2013 19:45
> > To: user@hive.apache.org
> > Subject: Re: How to prevent user drop table in Hive metadata?
> >
> > Hi Echo,
> >
> > I dont think there is any to prevent this. I had the same concern in
> hbase, but found out that it is assumed that user using the system are very
> much aware of it.  I am into hive from last 3 months, was looking for some
> kind of way here, but no luck till now..
> >
> > Thanks
> > Biswa
> >
> > On 23 Nov 2013 01:06, "Echo Li" <echolql@gmail.com<mailto:
> echolql@gmail.com>> wrote:
> > Good Friday!
> >
> > I was trying to apply certain level of security in our hive data
> warehouse, by modifying access mode of directories and files on hdfs to 755
> I think it's good enough for a new user to remove data, however the user
> still can drop the table definition in hive cli, seems the "revoke" doesn't
> help much, is there any way to prevent this?
> >
> >
> > Thanks,
> > Echo
> >
> > _____________________________________________________________
> > The information contained in this communication is intended solely for
> the use of the individual or entity to whom it is addressed and others
> authorized to receive it. It may contain confidential or legally privileged
> information. If you are not the intended recipient you are hereby notified
> that any disclosure, copying, distribution or taking any action in reliance
> on the contents of this information is strictly prohibited and may be
> unlawful. If you have received this communication in error, please notify
> us immediately by responding to this email and then delete it from your
> system. The firm is neither liable for the proper and complete transmission
> of the information contained in this communication nor for any delay in its
> receipt.
>
>
> --
> CONFIDENTIALITY NOTICE
> NOTICE: This message is intended for the use of the individual or entity to
> which it is addressed and may contain information that is confidential,
> privileged and exempt from disclosure under applicable law. If the reader
> of this message is not the intended recipient, you are hereby notified that
> any printing, copying, dissemination, distribution, disclosure or
> forwarding of this communication is strictly prohibited. If you have
> received this communication in error, please contact the sender immediately
> and delete it from your system. Thank You.
>

RE: How to prevent user drop table in Hive metadata?

[si...@bt.com]

Thanks Alan - I'll fwd the spec in the Jira to some of our security and integrity people for comment. 

Simon
----
Dr. Simon Thompson

________________________________________
From: Alan Gates [gates@hortonworks.com]
Sent: 22 November 2013 20:53
To: user@hive.apache.org
Subject: Re: How to prevent user drop table in Hive metadata?

See https://issues.apache.org/jira/browse/HIVE-5837 for a JIRA addressing this.

Also, you can use the StorageBasedAuthorizationProvider in Hive, which bases metadata security on file security.  So if the user doesn't have permissions to remove the directory that stores the table data, they won't have permissions to drop the table.  This isn't perfect, but it's a start.

Alan.

On Nov 22, 2013, at 11:49 AM, <si...@bt.com> <si...@bt.com> wrote:

> Has no one raised a Jira ticket ?
>
> ----
> Dr. Simon Thompson
>
> ________________________________________
> From: Biswajit Nayak [biswajit.nayak@inmobi.com]
> Sent: 22 November 2013 19:45
> To: user@hive.apache.org
> Subject: Re: How to prevent user drop table in Hive metadata?
>
> Hi Echo,
>
> I dont think there is any to prevent this. I had the same concern in hbase, but found out that it is assumed that user using the system are very much aware of it.  I am into hive from last 3 months, was looking for some kind of way here, but no luck till now..
>
> Thanks
> Biswa
>
> On 23 Nov 2013 01:06, "Echo Li" <ec...@gmail.com>> wrote:
> Good Friday!
>
> I was trying to apply certain level of security in our hive data warehouse, by modifying access mode of directories and files on hdfs to 755 I think it's good enough for a new user to remove data, however the user still can drop the table definition in hive cli, seems the "revoke" doesn't help much, is there any way to prevent this?
>
>
> Thanks,
> Echo
>
> _____________________________________________________________
> The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. The firm is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.


--
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to
which it is addressed and may contain information that is confidential,
privileged and exempt from disclosure under applicable law. If the reader
of this message is not the intended recipient, you are hereby notified that
any printing, copying, dissemination, distribution, disclosure or
forwarding of this communication is strictly prohibited. If you have
received this communication in error, please contact the sender immediately
and delete it from your system. Thank You.

Re: How to prevent user drop table in Hive metadata?

[Alan Gates <ga...@hortonworks.com>]

See https://issues.apache.org/jira/browse/HIVE-5837 for a JIRA addressing this.  

Also, you can use the StorageBasedAuthorizationProvider in Hive, which bases metadata security on file security.  So if the user doesn't have permissions to remove the directory that stores the table data, they won't have permissions to drop the table.  This isn't perfect, but it's a start.

Alan.

On Nov 22, 2013, at 11:49 AM, <si...@bt.com> <si...@bt.com> wrote:

> Has no one raised a Jira ticket ? 
> 
> ----
> Dr. Simon Thompson
> 
> ________________________________________
> From: Biswajit Nayak [biswajit.nayak@inmobi.com]
> Sent: 22 November 2013 19:45
> To: user@hive.apache.org
> Subject: Re: How to prevent user drop table in Hive metadata?
> 
> Hi Echo,
> 
> I dont think there is any to prevent this. I had the same concern in hbase, but found out that it is assumed that user using the system are very much aware of it.  I am into hive from last 3 months, was looking for some kind of way here, but no luck till now..
> 
> Thanks
> Biswa
> 
> On 23 Nov 2013 01:06, "Echo Li" <ec...@gmail.com>> wrote:
> Good Friday!
> 
> I was trying to apply certain level of security in our hive data warehouse, by modifying access mode of directories and files on hdfs to 755 I think it's good enough for a new user to remove data, however the user still can drop the table definition in hive cli, seems the "revoke" doesn't help much, is there any way to prevent this?
> 
> 
> Thanks,
> Echo
> 
> _____________________________________________________________
> The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. The firm is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.


-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

RE: How to prevent user drop table in Hive metadata?

[Biswajit Nayak <bi...@inmobi.com>]

Dont think so..
On 23 Nov 2013 01:20, <si...@bt.com> wrote:

> Has no one raised a Jira ticket ?
>
> ----
> Dr. Simon Thompson
>
> ________________________________________
> From: Biswajit Nayak [biswajit.nayak@inmobi.com]
> Sent: 22 November 2013 19:45
> To: user@hive.apache.org
> Subject: Re: How to prevent user drop table in Hive metadata?
>
> Hi Echo,
>
> I dont think there is any to prevent this. I had the same concern in
> hbase, but found out that it is assumed that user using the system are very
> much aware of it.  I am into hive from last 3 months, was looking for some
> kind of way here, but no luck till now..
>
> Thanks
> Biswa
>
> On 23 Nov 2013 01:06, "Echo Li" <echolql@gmail.com<mailto:
> echolql@gmail.com>> wrote:
> Good Friday!
>
> I was trying to apply certain level of security in our hive data
> warehouse, by modifying access mode of directories and files on hdfs to 755
> I think it's good enough for a new user to remove data, however the user
> still can drop the table definition in hive cli, seems the "revoke" doesn't
> help much, is there any way to prevent this?
>
>
> Thanks,
> Echo
>
> _____________________________________________________________
> The information contained in this communication is intended solely for the
> use of the individual or entity to whom it is addressed and others
> authorized to receive it. It may contain confidential or legally privileged
> information. If you are not the intended recipient you are hereby notified
> that any disclosure, copying, distribution or taking any action in reliance
> on the contents of this information is strictly prohibited and may be
> unlawful. If you have received this communication in error, please notify
> us immediately by responding to this email and then delete it from your
> system. The firm is neither liable for the proper and complete transmission
> of the information contained in this communication nor for any delay in its
> receipt.
>

-- 
_____________________________________________________________
The information contained in this communication is intended solely for the 
use of the individual or entity to whom it is addressed and others 
authorized to receive it. It may contain confidential or legally privileged 
information. If you are not the intended recipient you are hereby notified 
that any disclosure, copying, distribution or taking any action in reliance 
on the contents of this information is strictly prohibited and may be 
unlawful. If you have received this communication in error, please notify 
us immediately by responding to this email and then delete it from your 
system. The firm is neither liable for the proper and complete transmission 
of the information contained in this communication nor for any delay in its 
receipt.

RE: How to prevent user drop table in Hive metadata?

[si...@bt.com]

Has no one raised a Jira ticket ? 

----
Dr. Simon Thompson

________________________________________
From: Biswajit Nayak [biswajit.nayak@inmobi.com]
Sent: 22 November 2013 19:45
To: user@hive.apache.org
Subject: Re: How to prevent user drop table in Hive metadata?

Hi Echo,

I dont think there is any to prevent this. I had the same concern in hbase, but found out that it is assumed that user using the system are very much aware of it.  I am into hive from last 3 months, was looking for some kind of way here, but no luck till now..

Thanks
Biswa

On 23 Nov 2013 01:06, "Echo Li" <ec...@gmail.com>> wrote:
Good Friday!

I was trying to apply certain level of security in our hive data warehouse, by modifying access mode of directories and files on hdfs to 755 I think it's good enough for a new user to remove data, however the user still can drop the table definition in hive cli, seems the "revoke" doesn't help much, is there any way to prevent this?


Thanks,
Echo

_____________________________________________________________
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. The firm is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.

Re: How to prevent user drop table in Hive metadata?

[Biswajit Nayak <bi...@inmobi.com>]

Hi Echo,

I dont think there is any to prevent this. I had the same concern in hbase,
but found out that it is assumed that user using the system are very much
aware of it.  I am into hive from last 3 months, was looking for some kind
of way here, but no luck till now..

Thanks
Biswa
On 23 Nov 2013 01:06, "Echo Li" <ec...@gmail.com> wrote:

> Good Friday!
>
> I was trying to apply certain level of security in our hive data
> warehouse, by modifying access mode of directories and files on hdfs to 755
> I think it's good enough for a new user to remove data, however the user
> still can drop the table definition in hive cli, seems the "revoke" doesn't
> help much, is there any way to prevent this?
>
>
> Thanks,
> Echo
>

-- 
_____________________________________________________________
The information contained in this communication is intended solely for the 
use of the individual or entity to whom it is addressed and others 
authorized to receive it. It may contain confidential or legally privileged 
information. If you are not the intended recipient you are hereby notified 
that any disclosure, copying, distribution or taking any action in reliance 
on the contents of this information is strictly prohibited and may be 
unlawful. If you have received this communication in error, please notify 
us immediately by responding to this email and then delete it from your 
system. The firm is neither liable for the proper and complete transmission 
of the information contained in this communication nor for any delay in its 
receipt.

Re: How to prevent user drop table in Hive metadata?

[Richard Nadeau <st...@gmail.com>]

You can use: ALTER TABLE {table_name} ENABLE NO_DROP;

And it will keep a user from dropping the table - but it can be over ridden.

Rick
On Nov 22, 2013 12:36 PM, "Echo Li" <ec...@gmail.com> wrote:

> Good Friday!
>
> I was trying to apply certain level of security in our hive data
> warehouse, by modifying access mode of directories and files on hdfs to 755
> I think it's good enough for a new user to remove data, however the user
> still can drop the table definition in hive cli, seems the "revoke" doesn't
> help much, is there any way to prevent this?
>
>
> Thanks,
> Echo
>

Re: How to prevent user drop table in Hive metadata?

[Jov <zh...@gmail.com>]

you can hack the meta database，eg create a triger on the TBLS which do some
check and return error when delete from this table

jov
在 2013-11-23 上午3:36，"Echo Li" <ec...@gmail.com>写道：

> Good Friday!
>
> I was trying to apply certain level of security in our hive data
> warehouse, by modifying access mode of directories and files on hdfs to 755
> I think it's good enough for a new user to remove data, however the user
> still can drop the table definition in hive cli, seems the "revoke" doesn't
> help much, is there any way to prevent this?
>
>
> Thanks,
> Echo
>