Support Questions

dmueller1607 · ‎07-06-2017

I'm working on a Kerberos-enabled Hortonworks Data Platform 2.5 with Hive 1.2.1.

I just saw, that one user can create a database and another user can delete it!

[root@host ~]# su -l user1

[user1@host ~]# hive 
 hive> create database user1db 
 OK 
 Time taken: 0.077 seconds

After creating this database, another user can login and delete it:

[root@host ~]# su -l user2

[user2@host ~]# hive
 hive> drop database user1db
 OK
 Time taken: 1.352 seconds

Why is this possible? Another user can also do other things like showing all databases etc.

How can this be avoided? A user shouldn't be able to view / delete databases of other users!

ssubhas · ‎07-06-2017

For database level permission you can use following link:-

And you can also use ranger to control the persmission.

bandarusridhar1 · ‎07-06-2017

@Daniel Müller

Have you installed and configured Ranger-Plug for Hive in your environment? Ranger will solve all your problems.

Secondly, start using Beeline else you need to configure even storage based ACL if you are using Hive CLI.

Hope this helps you.

SQLShaw · ‎07-06-2017

Agree. Avoid HiveCL. It is not secure and will be on a path to deprecation. Use beeline or the Ambari Hive View.

apathan · ‎07-06-2017

@Daniel Müller

If there is no external authorizer like ranger is enabled, default hive permissions are given. For more details on the same, please refer to https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization

So, ranger is recommendation for authorization. You can refer to this tutorial on how to setup the ranger policies for hive.

You can also refer to below documentation on how to install ranger in kerberized environment.

Avoid deleting databases by other users in Hive