AnsweredAssumed Answered

Hive authorization

Question asked by deepthi on Feb 20, 2014
Latest reply on Feb 20, 2014 by deepthi
Hi

I am trying to set up Hive authorization in hive-0.12. I have set the following properties in hive-site.xml

    <property>
      <name>hive.security.authorization.enabled</name>
      <value>true</value>
      <description>enable or disable the hive client authorization</description>
    </property>
    <property>
      <name>hive.security.authorization.createtable.owner.grants</name>
      <value>ALL</value>
      <description>the privileges automatically granted to the owner whenever a table gets created.
       An example like "select,drop" will grant select and drop privilege to the owner of the   table</description>
    </property>
    <property>
      <name>hive.metastore.authorization.storage.checks</name>
      <value>true</value>
      <description>Should the metastore do authorization checks against the underlying storage
      for operations like drop-partition (disallow the drop-partition if the user in
      question doesn't have permissions to delete the corresponding directory
      on the storage).</description>
    </property>

This is the scenario which I am testing. There are 2 users - user1 and user2, who belong to 2 different groups. user1 creates a table in test database. user2 is able to drop the table, even if user2 doesnot have write permission on the filesystem directory - /user/hive/warehouse/test.db

As user1:

    hive> use test;
    hive> create table t2 (
        > (
        > col1 INT,
        > vol2 STRING
        > );
    
    As user2:
    hive> use test;
    hive> drop table t2;
    Authorization failed:No privilege 'Drop' found for outputs { database:test, table:t2}. Use show grant to get more details.
    hive> grant drop on table t2 to user user2;
    OK
    hive> drop table t2;
    OK

The drop succeeds and the directory - /user/hive/warehouse/test.db/t2 is deleted.
/user/hive/warehouse/test.db is owned by user1 and the permission is set to 700. Why doesn't hive honor the permission on filesystem even after setting hive.metastore.authorization.storage.checks

Am I missing any property settings here?

Thanks,

Deepthi






Outcomes