You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Srimanth Gunturi (JIRA)" <ji...@apache.org> on 2015/05/31 21:03:17 UTC

[jira] [Commented] (AMBARI-11575) hive-site.xml property "hive.security.metastore.authorization.manager" becomes invalid when switching values in "Choose Authorization" widget

    [ https://issues.apache.org/jira/browse/AMBARI-11575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14566683#comment-14566683 ] 

Srimanth Gunturi commented on AMBARI-11575:
-------------------------------------------

{noformat}
Default value of hive.security.metastore.authorization.manager should be org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider
When authorization=SQLStdAuth, it should append “,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly”
When authorization = none or ranger, it should not have that additional string - “,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly”
{noformat}

h2. With the default of None, is selected, the following values should change

h3. in *hive-site.xml*

hive.security.authorization.manager = org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory (this makes it easier for them to migrate to sql standard authorization, if they choose to do that later)
hive.security.authorization.enabled=false

h3. in *hiveserver2-site.xml*

remove the following values from config (or set them to empty if removing is not easy to do, if value of empty, the default value would still get used)
hive.security.authorization.manager
hive.security.authorization.enabled
hive.security.authenticator.manager


h2. When SQLStdAuth is selected, the following values should change:

h3. hive-site.xml :

Prompt the user to fill out values for hive.users.in.admin.role (SQL Standard authorization admin privilege users) (Its OK if they choose to not enter it).
hive.server2.enable.doAs=false
in hive.security.metastore.authorization.manager , append org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly (mentioned in line 41 in the spreadsheet)
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory.

in hiveserver2-site.xml:
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
hive.security.authorization.enabled=true
hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator

h2. When Ranger is selected.
To enable Ranger authorization, following HiveServer2 properties must be set:

hiveserver2-site.xml:
  hive.security.authorization.enabled=true
  hive.security.authorization.manager=org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory
  hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator

Please note that the ranger-hive-plugin setup script (enable-hive-plugin.sh) does more than just updating above properties - for example, it sets up configuration for the ranger-hive-plugin (ranger-admin URL, repo/service name, audit destinations, etc).

> hive-site.xml property "hive.security.metastore.authorization.manager" becomes invalid when switching values in "Choose Authorization" widget
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-11575
>                 URL: https://issues.apache.org/jira/browse/AMBARI-11575
>             Project: Ambari
>          Issue Type: Bug
>          Components: contrib
>    Affects Versions: 2.1.0
>            Reporter: Srimanth Gunturi
>            Assignee: Srimanth Gunturi
>             Fix For: 2.1.0
>
>
> When the value on the widget "Choose Authorization" is switched from "None" to "SQLStdAuth" the property "hive.security.metastore.authorization.manager" value switches to ",org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly" the string before the "," disappears which is invalid. The correct value should be "org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly".



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)