Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Avoid deleting databases by other users in Hive

Avoid deleting databases by other users in Hive

Expert Contributor

I'm working on a Kerberos-enabled Hortonworks Data Platform 2.5 with Hive 1.2.1.

I just saw, that one user can create a database and another user can delete it!

[root@host ~]# su -l user1

[user1@host ~]# hive 
 hive> create database user1db 
 OK 
 Time taken: 0.077 seconds

After creating this database, another user can login and delete it:

[root@host ~]# su -l user2

[user2@host ~]# hive
 hive> drop database user1db
 OK
 Time taken: 1.352 seconds

Why is this possible? Another user can also do other things like showing all databases etc.

How can this be avoided? A user shouldn't be able to view / delete databases of other users!

4 REPLIES 4

Re: Avoid deleting databases by other users in Hive

@Daniel Müller

For database level permission you can use following link:-

https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaul...

And you can also use ranger to control the persmission.

Re: Avoid deleting databases by other users in Hive

@Daniel Müller

Have you installed and configured Ranger-Plug for Hive in your environment? Ranger will solve all your problems.

Secondly, start using Beeline else you need to configure even storage based ACL if you are using Hive CLI.

Link: https://hortonworks.com/blog/best-practices-in-hdfs-authorization-with-apache-ranger/

Hope this helps you.

Highlighted

Re: Avoid deleting databases by other users in Hive

Agree. Avoid HiveCL. It is not secure and will be on a path to deprecation. Use beeline or the Ambari Hive View.

Re: Avoid deleting databases by other users in Hive

@Daniel Müller

If there is no external authorizer like ranger is enabled, default hive permissions are given. For more details on the same, please refer to https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization

So, ranger is recommendation for authorization. You can refer to this tutorial on how to setup the ranger policies for hive.

https://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/

You can also refer to below documentation on how to install ranger in kerberized environment.

https://cwiki.apache.org/confluence/display/RANGER/Ranger+installation+in+Kerberized++Environment

Don't have an account?
Coming from Hortonworks? Activate your account here