Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to disable hive shell for all users (Hive CLI)

Solved Go to solution
Highlighted

How to disable hive shell for all users (Hive CLI)

Super Guru

I have configured ranger authorization for hive and want to force all the users to use beeline and want to block access to hive shell to all the users.

I know one workaround - we can revoke execute access for below file on all hive-clients.

/usr/hdp/current/hive-client/bin/hive 

By doing this it could cause an issue to jobs scheduled via workflow engines like oozie or azkabaan etc.

Is there any other effective way to do this ?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How to disable hive shell for all users (Hive CLI)

Super Guru

Suggestion given by @Hajime

We can add below lines in hive-env template via ambari to disable hive-shell

if [ "$SERVICE" = "cli" ]; then
echo "Sorry! I have disabled hive-shell"
exit 1 
fi

After restarting hive services, when you try to run hive shell then you will get below output

[root@sandbox hive]# hive
Sorry! I have disabled hive-shell
20 REPLIES 20

Re: How to disable hive shell for all users (Hive CLI)

I think you have to make sure Storage Based Authorization (SBA) is enabled for the Metastore

  • hive.metastore.pre.event.listeners = org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
  • hive.security.metastore.authorization.manager = org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider

And then lock down filesystem permissions for data warehouse dir. I don't think there's a way to actually prevent users from issuing the "hive" command. I may be wrong, though - happy to be corrected.

Re: How to disable hive shell for all users (Hive CLI)

@Ana Gillan Can you provide details on your idea? Do you have any doc or demo?

Re: How to disable hive shell for all users (Hive CLI)

@Neeraj Sabharwal I don't have a doc or demo, but it's simple enough to demonstrate. Enable SBA (should be already by default) and and then give the hive warehouse dir e.g. 750 permissions for hive:hadoop (recursively). Then if people try to access tables through Hive CLI as any other user, they will get a permission denied error. This won't apply to access via HiveServer2 because you'd manage table and DB permissions via Ranger Hive repository or SQL Standard authorisation. @Alex Miller's suggestion goes on top of that as well. To be truly secure, users must come in via Knox.

Re: How to disable hive shell for all users (Hive CLI)

This is correct. You can hide the standard binary from end users, but if they can create and execute arbitrary files on hosts with access to the cluster then there is no workaround that is 100% effective.

You should restrict access to the entire cluster (via a firewall and/or other means), and users who need to access Hive should do so from through HiveServer2 behind a Knox gateway.

Re: How to disable hive shell for all users (Hive CLI)

Super Guru

Thank you @Alex Miller

Re: How to disable hive shell for all users (Hive CLI)

Super Guru

Thank you @Ana Gillan

Re: How to disable hive shell for all users (Hive CLI)

Mentor

@Kuldeep Kulkarni perhaps remove alias to Hive or create alias for Hive to redirect to beeline¡ Hive shell is in deprecated mode, it will be dropped at some point. Great question.

Re: How to disable hive shell for all users (Hive CLI)

Super Guru

Thanks @Artem Ervits

Re: How to disable hive shell for all users (Hive CLI)

Hi @Kuldeep Kulkarni

Good question because we don't want user to run hive cli as part of the best practice. One of the things that I suggest is not to install hive client in edge node.

I found this thread and I believe this can be done to avoid the hive cli access.