I'm working on a Kerberos-enabled Hortonworks Data Platform 2.5 with Hive 1.2.1.
I just saw, that one user can create a database and another user can delete it!
[root@host ~]# su -l user1 [user1@host ~]# hive hive> create database user1db OK Time taken: 0.077 seconds
After creating this database, another user can login and delete it:
[root@host ~]# su -l user2 [user2@host ~]# hive hive> drop database user1db OK Time taken: 1.352 seconds
Why is this possible? Another user can also do other things like showing all databases etc.
How can this be avoided? A user shouldn't be able to view / delete databases of other users!
For database level permission you can use following link:-
And you can also use ranger to control the persmission.
Have you installed and configured Ranger-Plug for Hive in your environment? Ranger will solve all your problems.
Secondly, start using Beeline else you need to configure even storage based ACL if you are using Hive CLI.
Hope this helps you.
If there is no external authorizer like ranger is enabled, default hive permissions are given. For more details on the same, please refer to https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization
So, ranger is recommendation for authorization. You can refer to this tutorial on how to setup the ranger policies for hive.
You can also refer to below documentation on how to install ranger in kerberized environment.