Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to disable hive shell for all users (Hive CLI)

Labels:
avatar
author-rank KuldeepK author-rank
Master Guru

Created ‎01-20-2016 09:42 AM

I have configured ranger authorization for hive and want to force all the users to use beeline and want to block access to hive shell to all the users.

I know one workaround - we can revoke execute access for below file on all hive-clients.

/usr/hdp/current/hive-client/bin/hive

By doing this it could cause an issue to jobs scheduled via workflow engines like oozie or azkabaan etc.

Is there any other effective way to do this ?

14,338 Views
1 ACCEPTED SOLUTION

avatar
author-rank KuldeepK author-rank
Master Guru

Created ‎01-21-2016 10:25 AM

Suggestion given by @Hajime

We can add below lines in hive-env template via ambari to disable hive-shell

if [ "$SERVICE" = "cli" ]; then
echo "Sorry! I have disabled hive-shell"
exit 1 
fi

After restarting hive services, when you try to run hive shell then you will get below output

[root@sandbox hive]# hive
Sorry! I have disabled hive-shell

View solution in original post

9,739 Views
20 REPLIES 20

avatar
author-rank KuldeepK author-rank
Master Guru

Created ‎01-21-2016 10:20 AM

Thanks @Neeraj Sabharwal

5,238 Views

avatar
author-rank nsabharwal
Master Mentor

Created ‎01-20-2016 03:45 PM

@Alan Gates @gopal

5,238 Views
0 Kudos

avatar
author-rank chrsvarma
Super Collaborator

Created ‎01-20-2016 10:45 PM

@Kuldeep Kulkarni it is simple, we had the same problem and i simply edited hive.distro file

/usr/hdp/2.2.0.0-2041/hive/bin/hive.distro

go to this line and comment it and add below string --- if [ "$SERVICE" = "" ] ; then

if [ "$SERVICE" = "" ] && [ "$USER" = "xxxxxxxx" ] ; then if [ "$SERVICE" = "" ] ; then

xxxxxxx - you can use your shared id /service id

let me how did it go..

5,238 Views

avatar
author-rank KuldeepK author-rank
Master Guru

Created ‎01-21-2016 10:26 AM

Thanks @Raja Sekhar Chintalapati

5,238 Views

avatar
author-rank KuldeepK author-rank
Master Guru

Created ‎01-21-2016 10:25 AM

Suggestion given by @Hajime

We can add below lines in hive-env template via ambari to disable hive-shell

if [ "$SERVICE" = "cli" ]; then
echo "Sorry! I have disabled hive-shell"
exit 1 
fi

After restarting hive services, when you try to run hive shell then you will get below output

[root@sandbox hive]# hive
Sorry! I have disabled hive-shell
9,740 Views

avatar
author-rank amiller
Guru

Created ‎01-21-2016 03:58 PM

This might be sufficient to keep honest people honest. For a user that has write access on the filesystem, it's trivial to override hive-env.sh

5,238 Views

avatar
author-rank gwomack
Explorer

Created ‎08-26-2016 07:18 PM

I've seen it recommended to change the first line to:

if [ "$SERVICE" = "cli" ] && [ "$USER" != "ambari-qa" ]; then

Without this, Ambari won't be able to check Hive metastore state and will throw an alert (at least in HDP 2.4).

5,238 Views
0 Kudos

avatar
author-rank sagarshimpi
Expert Contributor

Created ‎01-25-2016 06:55 PM

Hi @kuldeep Kulkarni

This might be silly answer, if i see there is less option as of now to block hive cli wrt specific user, either if there are lot more changes which needs to be made on hadoop configuration side to block hive cli, then i will like to suggest - why not to block hive command from Linux side. For example say sudoers can be one of the way to do this.

5,238 Views

avatar
author-rank davidw1
New Contributor

Created ‎05-08-2016 08:15 PM

Not only do we restrict access to hive in our environment but we also make people use a command called 'hql' which is a wrapper around beeline. By default a user (on our kerberised cluster and therefore they have already done kinit) can just type 'hql' and be in the defaults or pass simple options to specify non-defaults

#!/bin/bash
# David M Walker, Data Management & Warehousing & Worldpay
# hql command line for use with a Kerborised cluster

DATABASE="DEFAULT"
QUERY_FILE=""
HOST="localhost"
PORT="10001"
QUEUE="DEFAULT"
REALM="_HOST@REALM"

while getopts :d:h:p:r:q:f: PARAM
do
   case "${PARAM}" in 
      d) DATABASE="${OPTARG}"
         ;; 
      f) QUERY_FILE="${OPTARG}"
         ;;
      h) HOST="${OPTARG}"
         ;;
      p) PORT="${OPTARG}"
         ;;
      q) QUEUE="${OPTARG}"
         ;;
      r) REALM="${OPTARG}"
         ;;
      ?) echo "Usage: hql [-d DATABASE] [-h HOST] [-p PORT] [-q QUEUE] [-r REALM] [-f QUERY_FILE]" 
         exit 1
         ;;
   esac
done
shift $(($OPTIND - 1))

if [ -z "${QUERY_FILE}" ]
then
   beeline -u "jdbc:hive2://${HOST}:${PORT}/${DATABASE};transportMode=http;httpPath=cliservice;principal=hive/${REALM}" --hiveconf tez.queue.name=${QUEUE}
   exit $?
else
   if [ -r "${QUERY_FILE}" ]
   then
      beeline -u "jdbc:hive2://${HOST}:${PORT}/${DATABASE};transportMode=http;httpPath=cliservice;principal=hive/${REALM}" --hiveconf tez.queue.name=${QUEUE} -f ${QUERY_FILE}
      exit $?
   else
      echo "File ${QUERY_FILE} is not readable"
      exit 1
   fi
fi

exit 0
5,238 Views
0 Kudos

avatar
author-rank slachterman
Guru

Created ‎07-07-2016 07:32 PM

@Kuldeep Kulkarni it seems that HIVE-10511 is the long-term plan for this, also see this link.

5,238 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements