AnsweredAssumed Answered

SQL authorisation

Question asked by mprior10 on Jul 17, 2018
Latest reply on Jul 18, 2018 by john.humphreys

Hi,

 

We have implemented Hive sql standard authorisation as per 

http://www.openkb.info/2014/11/how-to-enable-sql-standard-based.html

 

In the notes on the Apache wiki, it indicates, that a query runs as the Hive server user, and that the directory and files for input data, needs to have read access, for that user. But when I test this, the user running the query (the Business Analyst in beeline), still needs hdfs read permissions to the table, in additional to the select privilege.  My understanding from reading the wiki article, is that the analyst would not need hdfs permissions on the table, as the query would run under the hive server user, which is the mapr account.

 

https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization

 

SQL Standards Based Hive Authorization (New in Hive 0.13)

The SQL standards based authorization option (introduced in Hive 0.13) provides a third option for authorization in Hive. This is recommended because it allows Hive to be fully SQL compliant in its authorization model without causing backward compatibility issues for current users. As users migrate to this more secure model, the current default authorization could be deprecated.

For an overview of this authorization option, see SQL Standards Based Authorization in HiveServer2.

This authorization mode can be used in conjunction with storage based authorization on the metastore server. Like the current default authorization in Hive, this will also be enforced at query compilation time. To provide security through this option, the client will have to be secured. This can be done by allowing users access only through Hive Server2, and by restricting the user code and non-SQL commands that can be run. The checks will happen against the user who submits the request, but the query will run as the Hive server user. The directories and files for input data would have read access for this Hive server user. For users who don’t have the need to protect against malicious users, this could potentially be supported through the Hive command line as well

 

===========================

was resolved by

 

<property>

    <name>hive.server2.enable.doAs</name>

    <value>false</value>

    <description>Set this property to enable impersonation in Hive Server2</description>

  </property>

 

Outcomes