You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@hive.apache.org by Rob Anderson <ro...@gmail.com> on 2017/05/09 21:59:47 UTC

SQL Standard Based Hive Authorization with CDH 5.X

Has anyone implemented SQL Standard Based Hive Authorization with CDH 5.5.2
(hive1.1.0)?

Cloudera has confirmed that it's not supported, but I have a need that
requires the implementation.

I've followed: https://cwiki.apache.org/confluence/display/Hive/SQL+
Standard+Based+Hive+Authorization

I've added the following to "HiveServer2 Advanced Configuration Snippet
(Safety Valve) for hive-site.xml" via Cloudera Manager.

<property>

<name>hive.server2.enable.doAs</name>

<value>false</value>

</property>

<property>

<name>hive.users.in.admin.role</name>

<value>oozie_runtime,hive,randerson</value>

</property>

<property>

<name>hive.security.metastore.authorization.manager</name>

<value>org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly</value>

</property>

<property>

<name>hive.security.authorization.manager</name>

<value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory</value>

</property>

<property>

<name>hive.security.authorization.task.factory</name>

<value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>

</property>


I've tried adding the following start up options to "HiveServer2
Environment Advanced Configuration Snippet (Safety Valve)" via Cloudera
Manager.

   - -hiveconf hive.security.authorization.manager=org.apache.hadoop.
   hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory


   - -hiveconf hive.security.authorization.enabled=true
   - -hiveconf hive.security.authenticator.manager=org.apache.hadoop.
   hive.ql.security.SessionStateUserAuthenticator
   - -hiveconf hive.metastore.uris=' '


I get the following error:

Could not parse: HiveServer2 Environment Advanced Configuration Snippet
(Safety Valve) : Could not parse parameter 'hive_hs2_env_safety_valve'. Was
expecting: valid variable name. Input: -hiveconf hive
.security.authorization.manager=org.apache.hadoop.hive
.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory -hiveconf
hive.security.authorization.enabled=true -hiveconf hive
.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator
-hiveconf hive.metastore.uris=' '

So, in short - I'm not sure how to start hiveserver2 with those options.
Any help you can offer is appreciated.

Thanks,

Rob

Re: SQL Standard Based Hive Authorization with CDH 5.X

Posted by Thejas Nair <th...@gmail.com>.

You can also set them via hiveserver2-site.xml instead of passing them as
commandline params.
Let me make that more clear in the doc.

On Thu, May 11, 2017 at 9:36 AM, Rob Anderson <ro...@gmail.com>
wrote:

> You add the options to HiveServer2 Environment Advanced Configuration
> Snippet (Safety Valve) via:
>
> HIVE_OPTS=--hiveconf hive.security.authorization.
> manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
> --hiveconf hive.security.authorization.enabled=true --hiveconf
> hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator
> --hiveconf hive.metastore.uris='thrift://XXXXXX:9083'
>
> Works fine.
>
> Rob
>
> On Tue, May 9, 2017 at 3:59 PM, Rob Anderson <ro...@gmail.com>
> wrote:
>
>> Has anyone implemented SQL Standard Based Hive Authorization with CDH
>> 5.5.2 (hive1.1.0)?
>>
>> Cloudera has confirmed that it's not supported, but I have a need that
>> requires the implementation.
>>
>> I've followed: https://cwiki.apache.org/confl
>> uence/display/Hive/SQL+Standard+Based+Hive+Authorization
>>
>> I've added the following to "HiveServer2 Advanced Configuration Snippet
>> (Safety Valve) for hive-site.xml" via Cloudera Manager.
>>
>> <property>
>>
>> <name>hive.server2.enable.doAs</name>
>>
>> <value>false</value>
>>
>> </property>
>>
>> <property>
>>
>> <name>hive.users.in.admin.role</name>
>>
>> <value>oozie_runtime,hive,randerson</value>
>>
>> </property>
>>
>> <property>
>>
>> <name>hive.security.metastore.authorization.manager</name>
>>
>> <value>org.apache.hadoop.hive.ql.security.authorization.Meta
>> StoreAuthzAPIAuthorizerEmbedOnly</value>
>>
>> </property>
>>
>> <property>
>>
>> <name>hive.security.authorization.manager</name>
>>
>> <value>org.apache.hadoop.hive.ql.security.authorization.plug
>> in.sqlstd.SQLStdConfOnlyAuthorizerFactory</value>
>>
>> </property>
>>
>> <property>
>>
>> <name>hive.security.authorization.task.factory</name>
>>
>> <value>org.apache.hadoop.hive.ql.parse.authorization.HiveAut
>> horizationTaskFactoryImpl</value>
>>
>> </property>
>>
>>
>> I've tried adding the following start up options to "HiveServer2
>> Environment Advanced Configuration Snippet (Safety Valve)" via Cloudera
>> Manager.
>>
>>    - -hiveconf hive.security.authorization.ma
>>    nager=org.apache.hadoop.hive.ql.security.authorization.plugi
>>    n.sqlstd.SQLStdHiveAuthorizerFactory
>>
>>
>>    - -hiveconf hive.security.authorization.enabled=true
>>    - -hiveconf hive.security.authenticator.ma
>>    nager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator
>>    - -hiveconf hive.metastore.uris=' '
>>
>>
>> I get the following error:
>>
>> Could not parse: HiveServer2 Environment Advanced Configuration Snippet
>> (Safety Valve) : Could not parse parameter 'hive_hs2_env_safety_valve'.
>> Was expecting: valid variable name. Input: -hiveconf hive.
>> security.authorization.manager=org.apache.hadoop.hive.q
>> l.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory -hiveconf
>> hive.security.authorization.enabled=true -hiveconf hive.
>> security.authenticator.manager=org.apache.hadoop.hive.q
>> l.security.SessionStateUserAuthenticator -hiveconf hive.metastore.uris='
>> '
>>
>> So, in short - I'm not sure how to start hiveserver2 with those options.
>> Any help you can offer is appreciated.
>>
>> Thanks,
>>
>> Rob
>>
>>
>>
>>
>>
>>
>>
>>
>>
>

Re: SQL Standard Based Hive Authorization with CDH 5.X

Posted by Rob Anderson <ro...@gmail.com>.

You add the options to HiveServer2 Environment Advanced Configuration
Snippet (Safety Valve) via:

HIVE_OPTS=--hiveconf
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
--hiveconf hive.security.authorization.enabled=true --hiveconf
hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator
--hiveconf hive.metastore.uris='thrift://XXXXXX:9083'

Works fine.

Rob

On Tue, May 9, 2017 at 3:59 PM, Rob Anderson <ro...@gmail.com>
wrote:

> Has anyone implemented SQL Standard Based Hive Authorization with CDH
> 5.5.2 (hive1.1.0)?
>
> Cloudera has confirmed that it's not supported, but I have a need that
> requires the implementation.
>
> I've followed: https://cwiki.apache.org/confl
> uence/display/Hive/SQL+Standard+Based+Hive+Authorization
>
> I've added the following to "HiveServer2 Advanced Configuration Snippet
> (Safety Valve) for hive-site.xml" via Cloudera Manager.
>
> <property>
>
> <name>hive.server2.enable.doAs</name>
>
> <value>false</value>
>
> </property>
>
> <property>
>
> <name>hive.users.in.admin.role</name>
>
> <value>oozie_runtime,hive,randerson</value>
>
> </property>
>
> <property>
>
> <name>hive.security.metastore.authorization.manager</name>
>
> <value>org.apache.hadoop.hive.ql.security.authorization.
> MetaStoreAuthzAPIAuthorizerEmbedOnly</value>
>
> </property>
>
> <property>
>
> <name>hive.security.authorization.manager</name>
>
> <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.
> SQLStdConfOnlyAuthorizerFactory</value>
>
> </property>
>
> <property>
>
> <name>hive.security.authorization.task.factory</name>
>
> <value>org.apache.hadoop.hive.ql.parse.authorization.
> HiveAuthorizationTaskFactoryImpl</value>
>
> </property>
>
>
> I've tried adding the following start up options to "HiveServer2
> Environment Advanced Configuration Snippet (Safety Valve)" via Cloudera
> Manager.
>
>    - -hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.
>    ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
>
>
>    - -hiveconf hive.security.authorization.enabled=true
>    - -hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.
>    ql.security.SessionStateUserAuthenticator
>    - -hiveconf hive.metastore.uris=' '
>
>
> I get the following error:
>
> Could not parse: HiveServer2 Environment Advanced Configuration Snippet
> (Safety Valve) : Could not parse parameter 'hive_hs2_env_safety_valve'.
> Was expecting: valid variable name. Input: -hiveconf hive.
> security.authorization.manager=org.apache.hadoop.hive.
> ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory -hiveconf
> hive.security.authorization.enabled=true -hiveconf hive.
> security.authenticator.manager=org.apache.hadoop.hive.
> ql.security.SessionStateUserAuthenticator -hiveconf hive.metastore.uris='
> '
>
> So, in short - I'm not sure how to start hiveserver2 with those options.
> Any help you can offer is appreciated.
>
> Thanks,
>
> Rob
>
>
>
>
>
>
>
>
>