Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)
Guru

Goal

  • Restricting HiveCLI access to specific users

Prerequisite

  • Access to admin account for Ambari

Procedure

  • Open Hive Config from Ambari, you can use the following link to do so
http://<ambari-server-hostname>:8080/#/main/services/HIVE/configs       
  • Locate the following code within "Advanced hive-env"
 if [ "$SERVICE" = "cli" ]; then
   if [ -z "$DEBUG" ]; then
     export HADOOP_OPTS="$HADOOP_OPTS -XX:NewRatio=12 -XX:MaxHeapFreeRatio=40 -XX:MinHeapFreeRatio=15 -XX:+UseNUMA -XX:+UseParallelGC -XX:-UseGCOverheadLimit"
   else
     export HADOOP_OPTS="$HADOOP_OPTS -XX:NewRatio=12 -XX:MaxHeapFreeRatio=40 -XX:MinHeapFreeRatio=15 -XX:-UseGCOverheadLimit"
   fi
 fi
  • Replace the above code with the following
declare -a users=(hdfs centos)

 if [ "$SERVICE" = "cli" ]; then
   
   for auser in ${users[@]}; do 
     if [ "$auser" = "$USER" ]; then
        echo "User $USER is not authorized to use Hive"
        exit 1   
     fi 
   done
     
   if [ -z "$DEBUG" ]; then
     export HADOOP_OPTS="$HADOOP_OPTS -XX:NewRatio=12 -XX:MaxHeapFreeRatio=40 -XX:MinHeapFreeRatio=15 -XX:+UseNUMA -XX:+UseParallelGC -XX:-UseGCOverheadLimit"
   else
     export HADOOP_OPTS="$HADOOP_OPTS -XX:NewRatio=12 -XX:MaxHeapFreeRatio=40 -XX:MinHeapFreeRatio=15 -XX:-UseGCOverheadLimit"
   fi
 fi

NOTE:- Here, the array named "users" contains the list of users who should not be authorized to use HiveCLI. Every time this list is modified, a restart of Hive services is required.

  • Restart Hive services via Ambari for settings to take effect.

Testing the configuration

  • Open a terminal to client & try the following method
[centos@master ~]$ id
uid=500(centos) gid=500(centos) groups=500(centos),4(adm),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[centos@master ~]$ hive
User centos is not authorized to use Hive
[centos@master ~]$ sudo su - hdfs
[hdfs@master ~]$ id
uid=505(hdfs) gid=501(hadoop) groups=501(hadoop),502(hdfs) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[hdfs@master ~]$ hive
User hdfs is not authorized to use Hive
[hdfs@master ~]$ exit
logout
[centos@master ~]$ sudo su - hive
[hive@master ~]$ hive
WARNING: Use "yarn jar" to launch YARN applications.

Logging initialized using configuration in file:/etc/hive/2.4.2.0-258/0/hive-log4j.properties
hive> 

NOTE: Please use a series of test to verify if the configuration works for all/majority of your jobs and automations based on this approach.

250 Views
Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎09-24-2016 12:20 PM
Updated by:
 
Contributors
Top Kudoed Authors