You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hive.apache.org by Patrick Luo <lu...@trulia.com> on 2012/05/18 20:47:29 UTC

Is there a way to create user account and grant read only permissions?

My use case requires individual accounts for business users groups. Is there a way to mimic MySQL (or other database) to create users with read-only permissions? This avoid business user accidental table drop. Metastore has table ROLES but don’t see documentation on that. Much appreciated if anyone can point to the documentation or share your thoughts on this?

- Patrick

Re: Is there a way to create user account and grant read only permissions?

Posted by Ranjith <ra...@gmail.com>.
How are others setting up hive for use in production? I guess my real question how are many of us getting around these security gaps?

Thanks,
Ranjith

On May 19, 2012, at 12:05 AM, Bejoy Ks <be...@yahoo.com> wrote:

> Hi Ranjith
> 
>      AFAIK Segmenting tables into databases won't help much as, again the Authorization issues would pop out. An user himself may be able to grant rights to access another db. Different metastores is an option, but again maintaining all of them is still a hassle, still you can do it. The fair solution is only on its way. :)
> 
> Regards
> Bejoy  
> 
> From: Ranjith <ra...@gmail.com>
> To: "user@hive.apache.org" <us...@hive.apache.org> 
> Cc: "user@hive.apache.org" <us...@hive.apache.org> 
> Sent: Saturday, May 19, 2012 9:53 AM
> Subject: Re: Is there a way to create user account and grant read only permissions?
> 
> Is separate metastores and separate hive servers the only way to go here? Or can we segment tables into databases and then use hive authorization.
> 
> Thanks,
> Ranjith
> 
> On May 18, 2012, at 11:08 PM, "Bejoy KS" <be...@yahoo.com> wrote:
> 
>> Hi patrick
>> The Authorization mechanisms in hive are not as solid as other RDBMS. A user can grant himself rights and can then drop a table or do whatever operations he likes to do. There is no super user(admin) and sub user concept in hive yet, but the community is having plans to implement that in future with strong Authorization mechanisms. 
>> Saying this if the business users are guaranteed not to play with GRANT statements or rather not change permissions themselves, (But it is hard to guarantee this when the no of users are large :) ) hive can satisfy your requirement.
>> Regards
>> Bejoy KS
>> 
>> Sent from handheld, please excuse typos.
>> From: "Raghunath, Ranjith" <Ra...@usaa.com>
>> Date: Sat, 19 May 2012 00:54:36 +0000
>> To: user@hive.apache.org<us...@hive.apache.org>
>> ReplyTo: user@hive.apache.org
>> Subject: RE: Is there a way to create user account and grant read only permissions?
>> 
>> Take a look at this, https://cwiki.apache.org/Hive/languagemanual-auth.html. This may be what you are looking for .
>>  
>> From: shashwat shriparv [mailto:dwivedishashwat@gmail.com] 
>> Sent: Friday, May 18, 2012 3:08 PM
>> To: user@hive.apache.org
>> Subject: Re: Is there a way to create user account and grant read only permissions?
>>  
>> Check out this
>>  
>> https://ccp.cloudera.com/display/CDHDOC/Hive+Security+Configuration 
>> On Sat, May 19, 2012 at 12:17 AM, Patrick Luo <lu...@trulia.com> wrote:
>> My use case requires individual accounts for business users groups. Is there a way to mimic MySQL (or other database) to create users with read-only permissions? This avoid business user accidental table drop. Metastore has table ROLES but don’t see documentation on that. Much appreciated if anyone can point to the documentation or share your thoughts on this? 
>>  
>> - Patrick 
>>  
>>  
>> 
>> 
>>  
>> -- 
>>            
>> ∞
>> Shashwat Shriparv
>>  
>>  
> 
>

Re: Is there a way to create user account and grant read only permissions?

Posted by Bejoy Ks <be...@yahoo.com>.
Hi Ranjith

     AFAIK Segmenting tables into databases won't help much as, again the Authorization issues would pop out. An user himself may be able to grant rights to access another db. Different metastores is an option, but again maintaining all of them is still a hassle, still you can do it. The fair solution is only on its way. :)

Regards
Bejoy  


________________________________
 From: Ranjith <ra...@gmail.com>
To: "user@hive.apache.org" <us...@hive.apache.org> 
Cc: "user@hive.apache.org" <us...@hive.apache.org> 
Sent: Saturday, May 19, 2012 9:53 AM
Subject: Re: Is there a way to create user account and grant read only permissions?
 

Is separate metastores and separate hive servers the only way to go here? Or can we segment tables into databases and then use hive authorization.

Thanks,
Ranjith

On May 18, 2012, at 11:08 PM, "Bejoy KS" <be...@yahoo.com> wrote:


 Hi patrick
>The Authorization mechanisms in hive are not as solid as other RDBMS. A user can grant himself rights and can then drop a table or do whatever operations he likes to do. There is no super user(admin) and sub user concept in hive yet, but the community is having plans to implement that in future with strong Authorization mechanisms. 
>Saying this if the business users are guaranteed not to play with GRANT statements or rather not change permissions themselves, (But it is hard to guarantee this when the no of users are large :) ) hive can satisfy your requirement.
>
>Regards
>Bejoy KS
>
>Sent from handheld, please excuse typos.
>________________________________
>
>From:  "Raghunath, Ranjith" <Ra...@usaa.com> 
>Date: Sat, 19 May 2012 00:54:36 +0000
>To: user@hive.apache.org<us...@hive.apache.org>
>ReplyTo:  user@hive.apache.org 
>Subject: RE: Is there a way to create user account and grant read only permissions?
>
>
>Take a look at this, https://cwiki.apache.org/Hive/languagemanual-auth.html. This may be what you are looking for .
> 
>From:shashwat shriparv [mailto:dwivedishashwat@gmail.com] 
>Sent: Friday, May 18, 2012 3:08 PM
>To: user@hive.apache.org
>Subject: Re: Is there a way to create user account and grant read only permissions?
> 
>Check out this
> 
>https://ccp.cloudera.com/display/CDHDOC/Hive+Security+Configuration 
>On Sat, May 19, 2012 at 12:17 AM, Patrick Luo <lu...@trulia.com> wrote:
>My use case requires individual accounts for business users groups. Is there a way to mimic MySQL (or other database) to create users with read-only permissions? This avoid business user accidental table drop. Metastore has table ROLES but don’t see documentation on that. Much appreciated if anyone can point to the documentation or share your thoughts on this? 
> 
>- Patrick 
> 
> 
>
>
>
> 
>-- 
>            
>∞
>Shashwat Shriparv
> 
> 

Re: Is there a way to create user account and grant read only permissions?

Posted by Ranjith <ra...@gmail.com>.
Is separate metastores and separate hive servers the only way to go here? Or can we segment tables into databases and then use hive authorization.

Thanks,
Ranjith

On May 18, 2012, at 11:08 PM, "Bejoy KS" <be...@yahoo.com> wrote:

> Hi patrick
> The Authorization mechanisms in hive are not as solid as other RDBMS. A user can grant himself rights and can then drop a table or do whatever operations he likes to do. There is no super user(admin) and sub user concept in hive yet, but the community is having plans to implement that in future with strong Authorization mechanisms. 
> Saying this if the business users are guaranteed not to play with GRANT statements or rather not change permissions themselves, (But it is hard to guarantee this when the no of users are large :) ) hive can satisfy your requirement.
> Regards
> Bejoy KS
> 
> Sent from handheld, please excuse typos.
> From: "Raghunath, Ranjith" <Ra...@usaa.com>
> Date: Sat, 19 May 2012 00:54:36 +0000
> To: user@hive.apache.org<us...@hive.apache.org>
> ReplyTo: user@hive.apache.org
> Subject: RE: Is there a way to create user account and grant read only permissions?
> 
> Take a look at this, https://cwiki.apache.org/Hive/languagemanual-auth.html. This may be what you are looking for .
>  
> From: shashwat shriparv [mailto:dwivedishashwat@gmail.com] 
> Sent: Friday, May 18, 2012 3:08 PM
> To: user@hive.apache.org
> Subject: Re: Is there a way to create user account and grant read only permissions?
>  
> Check out this
>  
> https://ccp.cloudera.com/display/CDHDOC/Hive+Security+Configuration 
> 
> On Sat, May 19, 2012 at 12:17 AM, Patrick Luo <lu...@trulia.com> wrote:
> My use case requires individual accounts for business users groups. Is there a way to mimic MySQL (or other database) to create users with read-only permissions? This avoid business user accidental table drop. Metastore has table ROLES but don’t see documentation on that. Much appreciated if anyone can point to the documentation or share your thoughts on this? 
>  
> - Patrick 
>  
>  
> 
> 
>  
> -- 
>            
> ∞
> Shashwat Shriparv
>  
>

Re: Is there a way to create user account and grant read only permissions?

Posted by Patrick Luo <lu...@trulia.com>.
Thanks KS and others for thoughts and ideas.

I found an ok alternative may benefit others in the same situation. The reason for users account is mainly for business users. HUE is the GUI interface we deployed for non-technical users. User need account to access HUE which is the gateway for HIVE. It's not a perfect solution because user still can drop any table. Maybe can tighten the hdfs file permission with read-only. Need to test on that.

-Patrick

From: Bejoy KS <be...@yahoo.com>>
Reply-To: "user@hive.apache.org<ma...@hive.apache.org>" <us...@hive.apache.org>>, "bejoy_ks@yahoo.com<ma...@yahoo.com>" <be...@yahoo.com>>
Date: Friday, May 18, 2012 9:08 PM
To: "user@hive.apache.org<ma...@hive.apache.org>" <us...@hive.apache.org>>
Subject: Re: Is there a way to create user account and grant read only permissions?

Hi patrick
The Authorization mechanisms in hive are not as solid as other RDBMS. A user can grant himself rights and can then drop a table or do whatever operations he likes to do. There is no super user(admin) and sub user concept in hive yet, but the community is having plans to implement that in future with strong Authorization mechanisms.
Saying this if the business users are guaranteed not to play with GRANT statements or rather not change permissions themselves, (But it is hard to guarantee this when the no of users are large :) ) hive can satisfy your requirement.
Regards
Bejoy KS

Sent from handheld, please excuse typos.
________________________________
From: "Raghunath, Ranjith" <Ra...@usaa.com>>
Date: Sat, 19 May 2012 00:54:36 +0000
To: user@hive.apache.org<ma...@hive.apache.org>>
ReplyTo: user@hive.apache.org<ma...@hive.apache.org>
Subject: RE: Is there a way to create user account and grant read only permissions?

Take a look at this, https://cwiki.apache.org/Hive/languagemanual-auth.html. This may be what you are looking for .

From: shashwat shriparv [mailto:dwivedishashwat@gmail.com]
Sent: Friday, May 18, 2012 3:08 PM
To: user@hive.apache.org<ma...@hive.apache.org>
Subject: Re: Is there a way to create user account and grant read only permissions?

Check out this

https://ccp.cloudera.com/display/CDHDOC/Hive+Security+Configuration
On Sat, May 19, 2012 at 12:17 AM, Patrick Luo <lu...@trulia.com>> wrote:
My use case requires individual accounts for business users groups. Is there a way to mimic MySQL (or other database) to create users with read-only permissions? This avoid business user accidental table drop. Metastore has table ROLES but don’t see documentation on that. Much appreciated if anyone can point to the documentation or share your thoughts on this?

- Patrick





--


∞
Shashwat Shriparv

Re: Is there a way to create user account and grant read only permissions?

Posted by Bejoy KS <be...@yahoo.com>.
Hi patrick
      The Authorization mechanisms in hive are not as solid as other RDBMS. A user can grant himself rights and can then drop a table or do whatever operations he likes to do. There is no super user(admin) and sub user concept in hive yet, but the community is having plans to implement that in future with strong Authorization mechanisms. 
Saying this if the business users are guaranteed not to play with GRANT statements or rather not change permissions themselves, (But it is hard to guarantee this when the no of users are large :) ) hive can satisfy your requirement.

Regards
Bejoy KS

Sent from handheld, please excuse typos.

-----Original Message-----
From: "Raghunath, Ranjith" <Ra...@usaa.com>
Date: Sat, 19 May 2012 00:54:36 
To: user@hive.apache.org<us...@hive.apache.org>
Reply-To: user@hive.apache.org
Subject: RE: Is there a way to create user account and grant read only
 permissions?

Take a look at this, https://cwiki.apache.org/Hive/languagemanual-auth.html. This may be what you are looking for .

From: shashwat shriparv [mailto:dwivedishashwat@gmail.com]
Sent: Friday, May 18, 2012 3:08 PM
To: user@hive.apache.org
Subject: Re: Is there a way to create user account and grant read only permissions?

Check out this

https://ccp.cloudera.com/display/CDHDOC/Hive+Security+Configuration
On Sat, May 19, 2012 at 12:17 AM, Patrick Luo <lu...@trulia.com>> wrote:
My use case requires individual accounts for business users groups. Is there a way to mimic MySQL (or other database) to create users with read-only permissions? This avoid business user accidental table drop. Metastore has table ROLES but don’t see documentation on that. Much appreciated if anyone can point to the documentation or share your thoughts on this?

- Patrick





--


∞
Shashwat Shriparv

RE: Is there a way to create user account and grant read only permissions?

Posted by "Raghunath, Ranjith" <Ra...@usaa.com>.
Take a look at this, https://cwiki.apache.org/Hive/languagemanual-auth.html. This may be what you are looking for .

From: shashwat shriparv [mailto:dwivedishashwat@gmail.com]
Sent: Friday, May 18, 2012 3:08 PM
To: user@hive.apache.org
Subject: Re: Is there a way to create user account and grant read only permissions?

Check out this

https://ccp.cloudera.com/display/CDHDOC/Hive+Security+Configuration
On Sat, May 19, 2012 at 12:17 AM, Patrick Luo <lu...@trulia.com>> wrote:
My use case requires individual accounts for business users groups. Is there a way to mimic MySQL (or other database) to create users with read-only permissions? This avoid business user accidental table drop. Metastore has table ROLES but don’t see documentation on that. Much appreciated if anyone can point to the documentation or share your thoughts on this?

- Patrick





--


∞
Shashwat Shriparv

Re: Is there a way to create user account and grant read only permissions?

Posted by shashwat shriparv <dw...@gmail.com>.
Check out this

https://ccp.cloudera.com/display/CDHDOC/Hive+Security+Configuration

On Sat, May 19, 2012 at 12:17 AM, Patrick Luo <lu...@trulia.com> wrote:

>  My use case requires individual accounts for business users groups. Is
> there a way to mimic MySQL (or other database) to create users with
> read-only permissions? This avoid business user accidental table drop.
> Metastore has table ROLES but don’t see documentation on that. Much
> appreciated if anyone can point to the documentation or share your thoughts
> on this?
>
>  - Patrick
>
>
>


-- 


∞
Shashwat Shriparv