Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Restricting HiveCLI access to limited users

Labels (1)
Labels:
avatar
author-rank srai1
Guru

Created on ‎09-24-2016 12:20 PM

Goal

  • Restricting HiveCLI access to specific users

Prerequisite

  • Access to admin account for Ambari

Procedure

  • Open Hive Config from Ambari, you can use the following link to do so
http://<ambari-server-hostname>:8080/#/main/services/HIVE/configs
  • Locate the following code within "Advanced hive-env"
 if [ "$SERVICE" = "cli" ]; then
   if [ -z "$DEBUG" ]; then
     export HADOOP_OPTS="$HADOOP_OPTS -XX:NewRatio=12 -XX:MaxHeapFreeRatio=40 -XX:MinHeapFreeRatio=15 -XX:+UseNUMA -XX:+UseParallelGC -XX:-UseGCOverheadLimit"
   else
     export HADOOP_OPTS="$HADOOP_OPTS -XX:NewRatio=12 -XX:MaxHeapFreeRatio=40 -XX:MinHeapFreeRatio=15 -XX:-UseGCOverheadLimit"
   fi
 fi
  • Replace the above code with the following 
declare -a users=(hdfs centos)

 if [ "$SERVICE" = "cli" ]; then
   
   for auser in ${users[@]}; do 
     if [ "$auser" = "$USER" ]; then
        echo "User $USER is not authorized to use Hive"
        exit 1   
     fi 
   done
     
   if [ -z "$DEBUG" ]; then
     export HADOOP_OPTS="$HADOOP_OPTS -XX:NewRatio=12 -XX:MaxHeapFreeRatio=40 -XX:MinHeapFreeRatio=15 -XX:+UseNUMA -XX:+UseParallelGC -XX:-UseGCOverheadLimit"
   else
     export HADOOP_OPTS="$HADOOP_OPTS -XX:NewRatio=12 -XX:MaxHeapFreeRatio=40 -XX:MinHeapFreeRatio=15 -XX:-UseGCOverheadLimit"
   fi
 fi

NOTE:- Here, the array named "users" contains the list of users who should not be authorized to use HiveCLI. Every time this list is modified, a restart of Hive services is required.

  • Restart Hive services via Ambari for settings to take effect.

Testing the configuration

  • Open a terminal to client & try the following method
[centos@master ~]$ id
uid=500(centos) gid=500(centos) groups=500(centos),4(adm),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[centos@master ~]$ hive
User centos is not authorized to use Hive
[centos@master ~]$ sudo su - hdfs
[hdfs@master ~]$ id
uid=505(hdfs) gid=501(hadoop) groups=501(hadoop),502(hdfs) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[hdfs@master ~]$ hive
User hdfs is not authorized to use Hive
[hdfs@master ~]$ exit
logout
[centos@master ~]$ sudo su - hive
[hive@master ~]$ hive
WARNING: Use "yarn jar" to launch YARN applications.

Logging initialized using configuration in file:/etc/hive/2.4.2.0-258/0/hive-log4j.properties
hive>

NOTE: Please use a series of test to verify if the configuration works for all/majority of your jobs and automations based on this approach.

770 Views
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
View More Announcements
Version history
Last update:
‎09-24-2016 12:20 PM
Updated by:
Guru
Contributors