https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-Metastore-Authorization-and-how-it-is-connected-to/m-p/179679#M58501 <P>Thank you for that answer. </P><P>I was not sure, if there are any specialities, as Hive did some custom checks for read/write rights until: <A href="https://issues.apache.org/jira/browse/HIVE-7583">https://issues.apache.org/jira/browse/HIVE-7583</A> and <A href="https://issues.apache.org/jira/browse/HDFS-6570">https://issues.apache.org/jira/browse/HDFS-6570</A></P> Wed, 05 Apr 2017 03:18:13 GMT benhadoop 2017-04-05T03:18:13Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-Metastore-Authorization-and-how-it-is-connected-to/m-p/179675#M58497 <P>Hi community,</P><P>I have a question about authorization for the Hive Metastore (not the HiveServer2). Cluster is HDP 2.5 and Kerberos is set up.</P><P>The Apache community recommends to use a StorageBasedAuthorizationProvider. I understand, how it gets the ACLs from the underlying filesystem.</P><P>In my situation, I have Ranger set up and want to handle most of authorization there - effectively making Hadoop native permissions unused (for instance by setting the to 000 on the Hive directories).</P><P>The question now is:</P><P>- When using the StorageBasedAuthorizationProvider: Will the Hive Metastore consider Ranger policies on HDFS warehouse directories in his decision, if a certain user can read/write to directory? Or do I have to use POSIX permissions or HDFS ACLs?</P><P>- Is the a better way to realize Hive Metastore authorization (Maybe a custom authorization provider for HiveMetastore, that connects to Ranger and uses Ranger Policies for HiveServer2)?</P><P>Thank you!</P> Wed, 29 Mar 2017 22:38:14 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-Metastore-Authorization-and-how-it-is-connected-to/m-p/179675#M58497 benhadoop 2017-03-29T22:38:14Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-Metastore-Authorization-and-how-it-is-connected-to/m-p/179676#M58498 <P>There is an open community proposal - See <A href="https://issues.apache.org/jira/browse/RANGER-768" target="_blank">https://issues.apache.org/jira/browse/RANGER-768</A> and <A href="https://issues.apache.org/jira/browse/RANGER-1247" target="_blank">https://issues.apache.org/jira/browse/RANGER-1247</A>. </P> Wed, 29 Mar 2017 22:42:27 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-Metastore-Authorization-and-how-it-is-connected-to/m-p/179676#M58498 vperiasamy 2017-03-29T22:42:27Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-Metastore-Authorization-and-how-it-is-connected-to/m-p/179677#M58499 <P>Thank you! This answers the second question.</P> Wed, 29 Mar 2017 22:53:17 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-Metastore-Authorization-and-how-it-is-connected-to/m-p/179677#M58499 benhadoop 2017-03-29T22:53:17Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-Metastore-Authorization-and-how-it-is-connected-to/m-p/179678#M58500 <P>There is nothing specific to Hive Metastore in evaluating access to HDFS resources. If HDFS Ranger plugin is enabled, then Ranger policies in conjunction with HDFS ACLs will apply. If HDFS Ranger plugin is not enabled, only HDFS ACLs will apply. </P> Tue, 04 Apr 2017 22:03:24 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-Metastore-Authorization-and-how-it-is-connected-to/m-p/179678#M58500 vperiasamy 2017-04-04T22:03:24Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-Metastore-Authorization-and-how-it-is-connected-to/m-p/179679#M58501 <P>Thank you for that answer. </P><P>I was not sure, if there are any specialities, as Hive did some custom checks for read/write rights until: <A href="https://issues.apache.org/jira/browse/HIVE-7583">https://issues.apache.org/jira/browse/HIVE-7583</A> and <A href="https://issues.apache.org/jira/browse/HDFS-6570">https://issues.apache.org/jira/browse/HDFS-6570</A></P> Wed, 05 Apr 2017 03:18:13 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Hive-Metastore-Authorization-and-how-it-is-connected-to/m-p/179679#M58501 benhadoop 2017-04-05T03:18:13Z