Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to disable Hive CLI

How to disable Hive CLI

Explorer
i want to disable Hive CLI in CDH 5.8. i added below lines in /etc/hive/conf.cloudera.hive/hive-env.sh if [ "$SERVICE" = "cli" ]; then echo "Hive CLI has been disabled" exit 1 fi But it didn't work. After adding above to the env file, then restarted the hive. When i type hive in the CLI, it's giving me 'hive` shell
6 REPLIES 6

Re: How to disable Hive CLI

Champion

You can configure Apache Sentry, it will provide additional security to your environment. 

 

  • When Sentry is enabled, you must use Beeline to execute Hive queries. Hive CLI is not supported with Sentry and must be disabled.

 

https://www.cloudera.com/documentation/enterprise/5-5-x/topics/sg_hive_sql.html

 

Thanks

Kumar

Re: How to disable Hive CLI

Champion
Kumar,

I haven't tested this but my understanding is that Sentry doesn't disable Hive CLI. That note states that Sentry authorization cannot be applied to queries in Hive CLI. It is a security gap and therefore should not be used and should be disabled.

Heyo,

The straightforward approach would be to not install the Hive gateway any where. This isn't always feasible. The next best approach is to lock down the binaries so that no one can use them.

I'll try later to see if there is a better way.

Re: How to disable Hive CLI

Champion
From the Sentry docs...

Disabling Hive CLI
To execute Hive queries, you must use Beeline. Hive CLI is not supported with Sentry and therefore its access to the Hive Metastore must be disabled. This is especially necessary if the Hive metastore has sensitive metadata. To do this, modify the hadoop.proxyuser.hive.groups in core-site.xml on the Hive metastore host. For example, to give the hive user permission to impersonate only members of the hive and hue groups, set the property to:
<property>
<name>hadoop.proxyuser.hive.groups</name>
<value>hive,hue</value>
</property>
More user groups that require access to the Hive Metastore can be added to the comma-separated list as needed.

I will be testing this shortly. Doesn't fully disable it but prevents all other users from using it.

Re: How to disable Hive CLI

Explorer
Hi, In cdh5.7,I found it doesn't work. Other users on Linux can still use hive cli.So is the description of this page inaccurate?(https://www.cloudera.com/documentation/enterprise/5-7-x/topics/sg_sentry_service_config.html#concept... Block the external applications from accessing the Hive metastore: In the Cloudera Manager Admin Console, select the Hive service. On the Hive service page, click the Configuration tab. In the search well on the right half of the Configuration page, search for Hive Metastore Access Control and Proxy User Groups Override to locate the hadoop.proxyuser.hive.groups parameter and click the plus sign. Enter hive into the text box and click the plus sign again. Enter hue into the text box. Click Save Changes. Setting this parameter blocks access to the Hive metastore for non-service users. This effectively disables Hive CLI, Spark, and Sqoop applications from interacting with the Hive service. These application will still run, but after setting this parameter as described here, they will no longer be able to access the Hive metastore and all Hive queries will fail. Users running these tools must be part of the hive or hue groups to access the Hive service. To allow greater access, additional user groups must be added to the proxy list.)

Re: How to disable Hive CLI

New Contributor

Hi,I met the same issue with you,have you solved it?

Re: How to disable Hive CLI

Champion
I tested the above last night. It worked as expected. Users connecting through HS2 and Hue worked but other connections failed. This included Hive CLI and spark SQL context in a spark shell. So if add the spark user to the list. I did test other connections so other users may be missing. You could add individual users as well if you just want to limit access.
Don't have an account?
Coming from Hortonworks? Activate your account here