i want to disable Hive CLI in CDH 5.8. i added below lines in /etc/hive/conf.cloudera.hive/hive-env.sh if [ "$SERVICE" = "cli" ]; then echo "Hive CLI has been disabled" exit 1 fi But it didn't work. After adding above to the env file, then restarted the hive. When i type hive in the CLI, it's giving me 'hive` shell
I haven't tested this but my understanding is that Sentry doesn't disable Hive CLI. That note states that Sentry authorization cannot be applied to queries in Hive CLI. It is a security gap and therefore should not be used and should be disabled.
The straightforward approach would be to not install the Hive gateway any where. This isn't always feasible. The next best approach is to lock down the binaries so that no one can use them.
Disabling Hive CLI To execute Hive queries, you must use Beeline. Hive CLI is not supported with Sentry and therefore its access to the Hive Metastore must be disabled. This is especially necessary if the Hive metastore has sensitive metadata. To do this, modify the hadoop.proxyuser.hive.groups in core-site.xml on the Hive metastore host. For example, to give the hive user permission to impersonate only members of the hive and hue groups, set the property to: <property> <name>hadoop.proxyuser.hive.groups</name> <value>hive,hue</value> </property> More user groups that require access to the Hive Metastore can be added to the comma-separated list as needed.
I will be testing this shortly. Doesn't fully disable it but prevents all other users from using it.
Hi, In cdh5.7,I found it doesn't work. Other users on Linux can still use hive cli.So is the description of this page inaccurate?（https://www.cloudera.com/documentation/enterprise/5-7-x/topics/sg_sentry_service_config.html#concept... Block the external applications from accessing the Hive metastore: In the Cloudera Manager Admin Console, select the Hive service. On the Hive service page, click the Configuration tab. In the search well on the right half of the Configuration page, search for Hive Metastore Access Control and Proxy User Groups Override to locate the hadoop.proxyuser.hive.groups parameter and click the plus sign. Enter hive into the text box and click the plus sign again. Enter hue into the text box. Click Save Changes. Setting this parameter blocks access to the Hive metastore for non-service users. This effectively disables Hive CLI, Spark, and Sqoop applications from interacting with the Hive service. These application will still run, but after setting this parameter as described here, they will no longer be able to access the Hive metastore and all Hive queries will fail. Users running these tools must be part of the hive or hue groups to access the Hive service. To allow greater access, additional user groups must be added to the proxy list.）
I tested the above last night. It worked as expected. Users connecting through HS2 and Hue worked but other connections failed. This included Hive CLI and spark SQL context in a spark shell. So if add the spark user to the list. I did test other connections so other users may be missing. You could add individual users as well if you just want to limit access.