question Re: Hive cannot hide default database with Sentry in Archives of Support Questions (Read Only)

Hive cannot hide default database with Sentry

seafrog — Fri, 16 Sep 2022 09:02:31 GMT

I use hive server 2 with sentry only let users to access "anon" database, however I still can see and use the "default" database:

beeline> !connect jdbc:hive2://192.168.1.123:10000 anon1 anon1

Connecting to jdbc:hive2://192.168.1.123:10000

Connected to: Hive (version 0.10.0)

Driver: Hive (version 0.10.0-cdh4.4.0)

Transaction isolation: TRANSACTION_REPEATABLE_READ

0: jdbc:hive2://192.168.1.123:10000> show databases;

+----------------+

| database_name |

+----------------+

| anon |

| default |

+----------------+

2 rows selected (0.409 seconds)

And here is the role and group definition:

[groups]
anon_analyst = anon_select_tables_role, anon_insert_tables_role

[roles]
anon_select_tables_role = server=localhost->db=anon->table=*->action=SELECT
anon_insert_tables_role = server=localhost->db=anon->table=*->action=INSERT

And the user anon1 is in the unix group. However, Impala cannot access the default database which is the correct behavior. Could anybody knows how to solve the problem for hive? Thanks!

Re: Hive cannot hide default database with Sentry

Harsh J — Sun, 20 Jul 2014 14:40:04 GMT

The group lookup for user 'anon1' is done on the HS2 host by default. Can you ensure that the HS2 unix host also has the same groups setup for 'anon1' as the impalad hosts have (which seem to work)?

Re: Hive cannot hide default database with Sentry

seafrog — Fri, 22 Aug 2014 04:52:29 GMT

Yes, the user group of impala node and hive nodes are the same.

I finally got the answer of my question. If I set "hive.sentry.restrict.defaultDB" to true in sentry-site.xml, the behavior of impala and hive will be the same. Because the default value of "hive.sentry.restrict.defaultDB" is false by default.

Refer line 48 of HiveAuthzConf.java of sentry source code.