Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

hive with SQL Standard-based Authorization

Labels:
avatar
author-rank lenovomi
Expert Contributor

Created ‎08-19-2016 10:37 AM

hi,

im trying to setup SQL Standard-based Authorization based on the

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_dataintegration/content/hive-013-feature...

but apparently it DOESNT work.

These are the values what are recommended.

-hiveconf hive.metastore.uris

''(a space inside single quotation marks)

-hiveconf hive.security.authorization.manager

org.apache.hadoop.hive.ql.security. authorization. MetaStoreAuthzAPIAuthorizerEmbedOnly

My ambari hive setup has other values...

hive.metastore.uristhrift://blabla.com:9083

and

hive.security.authorization.manager

org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory

Right now when i try to

show roles; for the user which was defined in

hive.users.in.admin.role

i got the error below:

[08S01]: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : adf_admin is not allowed to list roles. User has to belong to ADMIN role and have it as current role, for this action.

Thank you

11,296 Views
0 Kudos
0
8 REPLIES 8

avatar
author-rank bwilson author-rank
Guru

Created ‎08-19-2016 02:25 PM

Hi @John Smith,

At first glance, I am wondering if you granted the appropriate admin privilege to the adf_admin user. There are a few more details on setting up SQL standard auth in a SysAdmin guider here. Notice the step where the admin user must grant themselves admin rights.

8,651 Views
0 Kudos

avatar
author-rank lenovomi
Expert Contributor

Created ‎08-19-2016 03:34 PM

hello @Brandon Wilson , im wondering how can i do this? im googling and i cant see anything related to the setting admin privs to the adf_admin user or whatever user. I thought i can do this putting the user name into conf variable "

hive.users.in.admin.role "

pls let me know. thank you

8,651 Views
0 Kudos

avatar
author-rank bwilson author-rank
Guru

Created ‎08-19-2016 03:37 PM

In the link I posted abouve there is a step requiring the admin user to grant admin privileges to itself:

GRANT admin TO USER adf_admin;
8,651 Views
0 Kudos

avatar
author-rank lenovomi
Expert Contributor

Created ‎08-19-2016 03:36 PM

I tried

GRANT admin TO USER adf_admin;

and got error below

[08S01]: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : adf_admin is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action.

8,651 Views
0 Kudos

avatar
author-rank bwilson author-rank
Guru

Created ‎08-19-2016 03:39 PM

I think you should grant this role to the user BEFORE restarting HS2 with the new Authorization enforced. I would revert your Hive configuration back to the original settings. Then execute the GRANT. Then re-enable the SQL authorization via the configs and service restart.

8,651 Views
0 Kudos

avatar
author-rank lenovomi
Expert Contributor

Created ‎08-22-2016 09:18 AM

hi,

not really its same issue....

[08S01]: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : adf_admin is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action.

8,651 Views
0 Kudos

avatar
author-rank mukul_gupta
New Contributor

Created ‎05-08-2017 01:55 PM

Hi @lenovomi, Did you got the solution to your problem? I am facing the same issue. 😞

8,651 Views
0 Kudos

avatar
author-rank deepesh1
Guru

Created ‎05-12-2017 02:26 AM

For enabling the SQL Std Auth manually you would need to set the following settings in the hive-site.xml before restarting the HiveServer2.

hive.server2.enable.doAs=false
hive.security.authorization.enabled=true
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator
hive.users.in.admin.role=<admin user>

In the above <admin user> would be replaced by the user you want as admin. Note that you can perform admin operations after you connect to your beeline session as the admin user and then run the following command:

set role ADMIN;

For an Ambari controlled cluster recommendation would be to enable it through toggle on the Hive configs page.

8,651 Views
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements