You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hive.apache.org by Austin Chungath <au...@gmail.com> on 2013/05/10 10:19:37 UTC
Who is the hive admin user?
Hi all,
This seems silly but I couldn't get any reliable information even after a
few minutes of googling.
If I am creating user roles and groups in hive, which user should I be
doing it with?
Is there some configuration in hive-site.xml which sets a user as hive
admin?
Right now I see that any user can create user roles and groups or am I
missing something?
I am using the following link as reference
https://cwiki.apache.org/Hive/languagemanual-auth.html
Thanks,
Austin
Re: Who is the hive admin user?
Posted by Austin Chungath <au...@gmail.com>.
Thanks a lot Owen & Lefty. Sorry for the late reply, got a bit busy during
the weekend.
So... what I understand is:
1. To enable security in Hive you need minimum of Hive 0.10 and Kerberos
enabled.
2. The best option is to protect the HDFS directories that the data is
stored in.
3. The user roles in Hive are advisory only. Everyone is an admin so anyone
can grant anyone additional permissions. But since permissions on the HDFS
dir can't be changed by any user, the data will be secure.
Will everyone being an admin be changed in a future version of Hive? Is it
difficult to implement? I guess it will be more helpful if there was a
single or a group of predefined admins.
Thanks,
Austin
On Sat, May 11, 2013 at 12:50 AM, Lefty Leverenz <le...@hortonworks.com>wrote:
> Hive 0.10's metastore server security is documented in the revised
> Authorization wiki, which your link didn't go to because the name had been
> changed from "auth" to "Authorization" (sorry about that):
> https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization
> .
>
> The jira is HIVE-3705 <https://issues.apache.org/jira/browse/HIVE-3705>.
>
> – Lefty
>
>
>
> On Fri, May 10, 2013 at 8:24 AM, Owen O'Malley <om...@apache.org> wrote:
>
>> Unfortunately, the roles in Hive are advisory only. Effectively everyone
>> is an admin who can grant anyone (including themselves) additional
>> permissions.
>>
>> If you need security, the best option is to protect the HDFS directories
>> that the data is stored in. Set the HDFS owner, group, and permissions so
>> that the users have read/write permission as desired. Don't forget to set
>> things at both the database directory and table directory levels.
>>
>> Then you need to configure hive.security.metastore.authorization.manager
>> with org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,
>> which uses HDFS permissions to control access to databases and tables.
>>
>> By setting it up this way, the HDFS permissions will be enforced by the
>> NameNode and keep each group from reading each others data. The metastore
>> will use the same HDFS permissions to prevent access to the other groups
>> databases' metadata.
>>
>> Of course, all of this assumes you have Kerberos turned on for your
>> Hadoop cluster. It also requires a minimum of Hive 0.10.
>>
>> Hope it helps,
>> Owen
>>
>>
>> On Fri, May 10, 2013 at 1:19 AM, Austin Chungath <au...@gmail.com>wrote:
>>
>>> Hi all,
>>>
>>> This seems silly but I couldn't get any reliable information even after
>>> a few minutes of googling.
>>> If I am creating user roles and groups in hive, which user should I be
>>> doing it with?
>>>
>>> Is there some configuration in hive-site.xml which sets a user as hive
>>> admin?
>>>
>>> Right now I see that any user can create user roles and groups or am I
>>> missing something?
>>>
>>> I am using the following link as reference
>>> https://cwiki.apache.org/Hive/languagemanual-auth.html
>>>
>>> Thanks,
>>> Austin
>>>
>>
>>
>
Re: Who is the hive admin user?
Posted by Lefty Leverenz <le...@hortonworks.com>.
Hive 0.10's metastore server security is documented in the revised
Authorization wiki, which your link didn't go to because the name had been
changed from "auth" to "Authorization" (sorry about that):
https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization
.
The jira is HIVE-3705 <https://issues.apache.org/jira/browse/HIVE-3705>.
– Lefty
On Fri, May 10, 2013 at 8:24 AM, Owen O'Malley <om...@apache.org> wrote:
> Unfortunately, the roles in Hive are advisory only. Effectively everyone
> is an admin who can grant anyone (including themselves) additional
> permissions.
>
> If you need security, the best option is to protect the HDFS directories
> that the data is stored in. Set the HDFS owner, group, and permissions so
> that the users have read/write permission as desired. Don't forget to set
> things at both the database directory and table directory levels.
>
> Then you need to configure hive.security.metastore.authorization.manager
> with org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,
> which uses HDFS permissions to control access to databases and tables.
>
> By setting it up this way, the HDFS permissions will be enforced by the
> NameNode and keep each group from reading each others data. The metastore
> will use the same HDFS permissions to prevent access to the other groups
> databases' metadata.
>
> Of course, all of this assumes you have Kerberos turned on for your Hadoop
> cluster. It also requires a minimum of Hive 0.10.
>
> Hope it helps,
> Owen
>
>
> On Fri, May 10, 2013 at 1:19 AM, Austin Chungath <au...@gmail.com>wrote:
>
>> Hi all,
>>
>> This seems silly but I couldn't get any reliable information even after a
>> few minutes of googling.
>> If I am creating user roles and groups in hive, which user should I be
>> doing it with?
>>
>> Is there some configuration in hive-site.xml which sets a user as hive
>> admin?
>>
>> Right now I see that any user can create user roles and groups or am I
>> missing something?
>>
>> I am using the following link as reference
>> https://cwiki.apache.org/Hive/languagemanual-auth.html
>>
>> Thanks,
>> Austin
>>
>
>
Re: Who is the hive admin user?
Posted by Owen O'Malley <om...@apache.org>.
Unfortunately, the roles in Hive are advisory only. Effectively everyone is
an admin who can grant anyone (including themselves) additional permissions.
If you need security, the best option is to protect the HDFS directories
that the data is stored in. Set the HDFS owner, group, and permissions so
that the users have read/write permission as desired. Don't forget to set
things at both the database directory and table directory levels.
Then you need to configure hive.security.metastore.authorization.manager
with org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,
which uses HDFS permissions to control access to databases and tables.
By setting it up this way, the HDFS permissions will be enforced by the
NameNode and keep each group from reading each others data. The metastore
will use the same HDFS permissions to prevent access to the other groups
databases' metadata.
Of course, all of this assumes you have Kerberos turned on for your Hadoop
cluster. It also requires a minimum of Hive 0.10.
Hope it helps,
Owen
On Fri, May 10, 2013 at 1:19 AM, Austin Chungath <au...@gmail.com> wrote:
> Hi all,
>
> This seems silly but I couldn't get any reliable information even after a
> few minutes of googling.
> If I am creating user roles and groups in hive, which user should I be
> doing it with?
>
> Is there some configuration in hive-site.xml which sets a user as hive
> admin?
>
> Right now I see that any user can create user roles and groups or am I
> missing something?
>
> I am using the following link as reference
> https://cwiki.apache.org/Hive/languagemanual-auth.html
>
> Thanks,
> Austin
>