Configure Hive Authorization

Document created by mufeed Employee on Feb 13, 2016
Version 1Show Document
  • View in full screen mode

Author: Mufeed Usman

 

Original Publication Date: November 6, 2014

 

When enabling default authorization in Hive (Hive 0.13), you're most likely to encounter the following errors when trying to create/manipulate schemas, tables, etc.

 

0: jdbc:hive2://10.10.70.71:10000> create schema with_auth;

Error: Error while compiling statement: No privilege 'Create' found for outputs

{ } (state=42000,code=403)

And a stack similar to what is shown below in the hive.log.

2014-11-05 16:54:28,174 WARN [pool-2-thread-1]: thrift.ThriftCLIService

(ThriftCLIService.java:ExecuteStatement(364)) - Error executing statement:

org.apache.hive.service.cli.HiveSQLException: Error while compiling statement:

No privilege 'Create' found for outputs { }

  at

org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:101)

  at

org.apache.hive.service.cli.operation.SQLOperation.run(SQLOperation.java:172)

 

This is expected due to the buggy nature of the default authorization module in Hive. Typically you'll have the following property in hive-site.xml to enable authorization (PAM using passwd shown in the sample below).

<property>

  <name>hive.server2.authentication</name>

  <value>PAM</value>

</property>

 

<property>

  <name>hive.server2.authentication.pam.services</name>

  <value>passwd</value>

</property>

 

<property>

  <name>hive.security.authorization.createtable.owner.grants</name>

  <value>ALL</value>

</property>

 

<property>

  <name>hive.security.authorization.enabled</name>

  <value>true</value>

</property>

The problem with the above is that when you enable the authorization with hive.security.authorization.enabled, Hive instances the authorization manager pointed by property hive.security.authorization.manager whose default value is DefaultHiveAuthorizationProvider. Problem with DefaultHiveAuthorizationProvider is it is not documented well and there are many issues with it.

 

The new implementation which fill the gaps in DefaultHiveAuthorizationProvier is SQLStdHiveAuthorizerFactory. This is well documented and more close to the standard SQL auhtorization model. See here for detailed documentation. This also has history of authorization models in Hive.

 

So, to have a functioning authorization module in place apart from the ones mentioned above the following also need to be added.

 

<property>

  <name>hive.security.authorization.manager</name>

  <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>

</property>

 

<property>

  <name>hive.security.authenticator.manager</name>

  <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>

</property>

 

<property>

    <name>hive.server2.enable.doAs</name>

    <value>false</value>

</property>

Attachments

    Outcomes