Community Articles

PROBLEM

Users able to drop table on hive though they are not the table owners. Need to enable metastore server security to start using the storage based auth.

SOLUTION

To enable metastore security we need to enable the following parameter

• hive.metastore.pre.event.listeners [This turns on metastore-side security.]
  • Set to org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
• hive.security.metastore.authorization.manager [This tells Hive which metastore-side authorization provider to use. The default setting uses DefaultHiveMetastoreAuthorizationProvider, which implements the standard Hive grant/revoke model. To use an HDFS permission-based model (recommended) to do your authorization, use StorageBasedAuthorizationProvider as instructed above]
  • Set to org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider

• hive.security.metastore.authenticator.manager
  
  • Set to org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
• hive.security.metastore.authorization.auth.reads
  
  • When this is set to true, Hive metastore authorization also checks for read access. It is set to true by default. Read authorization checks were introduced in Hive 0.14.0