Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Hive Metastore Authorization and how it is connected to Ranger

avatar
Expert Contributor

Hi community,

I have a question about authorization for the Hive Metastore (not the HiveServer2). Cluster is HDP 2.5 and Kerberos is set up.

The Apache community recommends to use a StorageBasedAuthorizationProvider. I understand, how it gets the ACLs from the underlying filesystem.

In my situation, I have Ranger set up and want to handle most of authorization there - effectively making Hadoop native permissions unused (for instance by setting the to 000 on the Hive directories).

The question now is:

- When using the StorageBasedAuthorizationProvider: Will the Hive Metastore consider Ranger policies on HDFS warehouse directories in his decision, if a certain user can read/write to directory? Or do I have to use POSIX permissions or HDFS ACLs?

- Is the a better way to realize Hive Metastore authorization (Maybe a custom authorization provider for HiveMetastore, that connects to Ranger and uses Ranger Policies for HiveServer2)?

Thank you!

1 ACCEPTED SOLUTION

avatar
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
4 REPLIES 4

avatar
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Expert Contributor

Thank you! This answers the second question.

avatar

There is nothing specific to Hive Metastore in evaluating access to HDFS resources. If HDFS Ranger plugin is enabled, then Ranger policies in conjunction with HDFS ACLs will apply. If HDFS Ranger plugin is not enabled, only HDFS ACLs will apply.

avatar
Expert Contributor

Thank you for that answer.

I was not sure, if there are any specialities, as Hive did some custom checks for read/write rights until: https://issues.apache.org/jira/browse/HIVE-7583 and https://issues.apache.org/jira/browse/HDFS-6570