Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

What's the right setup for Hive SQL-based authorization?

Labels:
avatar
author-rank lvazquez
Expert Contributor

Created ‎08-05-2018 09:54 PM

I'm trying to find out how to configure SQL-based authorization in Hive (HDP 2.6.5) but I have found 2 official sources with contradictory information.

On one side you have the HDP 2.6.5 Data Access Manual, in the Securing Apache Hive chapter instructs you to set these class properties (among other configurations changes):

hive.security.authorization.manager = org.apache.hadoop.hive.ql.security.authorization.plugin.sql
hive.security.authenticator.manager = org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator

And on the other side I have found the official Hortonworks support article "How to Setup SQL Based authorization in Hive With an example" in this community forum; which states that you have to set a different set of configurations, including these properties with different authorization and authentication classes:

hive.security.authorization.manager= org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory 
hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.ProxyUserAuthenticator

Which one of the two different documentation sources I should trust and is more appropriate or correct for having SQL-based authorization in Hive?

2,838 Views
0 Kudos
2 REPLIES 2

avatar
author-rank lvazquez
Expert Contributor

Created ‎08-05-2018 11:19 PM

I also want to complement with the information that in the "Data Access" manual they refer to hive-site but in the HW support article they talk about settings in hiveserver2-site .
For what I was able to find out, the first file (hive-site in Ambari) corresponds to /etc/hive/conf/hive-site.xml and the second (hiveserver2-site in Ambari) corresponds to /etc/hive/conf/conf.server/hiveserver2-site.xml and many of the authorization/authentication parameters are repeated but with different values.

There is also another file named "hive-site.xml" file inside the "conf.server" folder but, it seems to have almost the same content that the one in /etc/hive/conf except for a couple of credential store parameters. What a mess is this hive configuration!

2,497 Views
0 Kudos

avatar
author-rank lvazquez
Expert Contributor

Created ‎08-06-2018 02:50 AM

After some tests and reading the official Hive documentation I'm answering this by myself.

Both sources are incomplete and confuse and I guess it's because they mix the required configuration for Hive 0.13.x and for Hive after 0.14 (what is used in HDP 2.5.x and above).

After changing authorization to SQLStdAuth and setting "Run as end user instead of Hive user" (hive.server2.enable.doAs) to false you have to

In Custom hive-site: add the user you want to use as Hive administrator, for example admin to the default list o users with admin role: 

hive.users.in.admin.role = hive,hue,admin

In hive-site.xml, corresponding to the General and Advanced hive-site sections on Ambari: check you have the following settings:

# General section:
hive.security.authorization.enabled=true
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory
# Need to add the second class to the comma separated list
hive.security.metastore.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly
# Advanced hive-site section:
hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.ProxyUserAuthenticator

In hiveserver2-site.xml corresponding to Advanced hiveserver2-site in Ambari:

hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator
hive.security.authorization.enabled=true
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory

Note the class used as "authorization.manager" in hive-site and in hiveserve2-site have similar names but are different, the first one is "SQLStdConfOnlyAuthorizerFactory" and the second "SQLStdHiveAuthorizerFactory".

Ambari will guide you with some of these settings once you select SQLStdAuth authorization, but this is the complete picture of what is needed. For further reference check:

https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization

2,497 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements