Hi,

is there a way to set up users with read-only users in Hive, so that I can
have one user with write privileges that runs ETL and updates the warehouse,
adds partitions, etc, and one or more 'read-only' users that would be able
to execute SELECTs, etc, but not DDL type statements?

I'd be interested how others out there solve having separation between
producers that feed and update the data warehouse one one hand, and the
consumers on the other.

>From what I understand Hive doesn't have a lot of multiuser support yet (as
described in HIVE-78 etc). Maybe one possibility could be to have
'read-only' users use a different account in the mysql metastore without
write privileges, and have any DDL statements from such users fail due to
metastore errors, but hopefully there's a cleaner way?

Thanks,
/ Oscar

HIVE-78 is what we all are waiting for :)

The hack you suggest below should be a valid interim solution, just make
sure the read-only clients have their own hive-site.xml with the proper
user/pass for the read only account, e.g.

<property>
<name>javax.jdo.option.ConnectionUserName</name>
<value>read-only-user</value>
</property>

<property>
<name>javax.jdo.option.ConnectionPassword</name>
<value>xxxxx</value>
</property>

see this for more details:

http://wiki.apache.org/hadoop/Hive/AdminManual/MetastoreAdmin

-- amr

On 1/13/2010 10:49 PM, Oscar Gothberg wrote:
> Hi,
>
> is there a way to set up users with read-only users in Hive, so that I
> can have one user with write privileges that runs ETL and updates the
> warehouse, adds partitions, etc, and one or more 'read-only' users
> that would be able to execute SELECTs, etc, but not DDL type statements?
>
> I'd be interested how others out there solve having separation between
> producers that feed and update the data warehouse one one hand, and
> the consumers on the other.
>
> From what I understand Hive doesn't have a lot of multiuser support
> yet (as described in HIVE-78 etc). Maybe one possibility could be to
> have 'read-only' users use a different account in the mysql metastore
> without write privileges, and have any DDL statements from such users
> fail due to metastore errors, but hopefully there's a cleaner way?
>
> Thanks,
> / Oscar

Thanks!

I realized this could also be managed, albeit still clumsily, through
user/group read/write permissions for the Hive warehouse directory.

/ Oscar

On Tue, Jan 19, 2010 at 11:40 PM, Amr Awadallah <[EMAIL PROTECTED]> wrote:

> HIVE-78 is what we all are waiting for :)
>
> The hack you suggest below should be a valid interim solution, just make
> sure the read-only clients have their own hive-site.xml with the proper
> user/pass for the read only account, e.g.
>
> <property>
> <name>javax.jdo.option.ConnectionUserName</name>
> <value>read-only-user</value>
> </property>
>
> <property>
> <name>javax.jdo.option.ConnectionPassword</name>
> <value>xxxxx</value>
> </property>
>
> see this for more details:
>
> http://wiki.apache.org/hadoop/Hive/AdminManual/MetastoreAdmin
>
> -- amr
>
>
> On 1/13/2010 10:49 PM, Oscar Gothberg wrote:
>
>> Hi,
>>
>> is there a way to set up users with read-only users in Hive, so that I can
>> have one user with write privileges that runs ETL and updates the warehouse,
>> adds partitions, etc, and one or more 'read-only' users that would be able
>> to execute SELECTs, etc, but not DDL type statements?
>>
>> I'd be interested how others out there solve having separation between
>> producers that feed and update the data warehouse one one hand, and the
>> consumers on the other.
>>
>> From what I understand Hive doesn't have a lot of multiuser support yet
>> (as described in HIVE-78 etc). Maybe one possibility could be to have
>> 'read-only' users use a different account in the mysql metastore without
>> write privileges, and have any DDL statements from such users fail due to
>> metastore errors, but hopefully there's a cleaner way?
>>
>> Thanks,
>> / Oscar
>>
>

Though that will protect the files, it won't protect the schema (e.g.
the read-only users will still be able to drop the table).

-- amr

On 1/20/2010 9:29 PM, Oscar Gothberg wrote:
> Thanks!
>
> I realized this could also be managed, albeit still clumsily, through
> user/group read/write permissions for the Hive warehouse directory.
>
> / Oscar
>
> On Tue, Jan 19, 2010 at 11:40 PM, Amr Awadallah <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>> wrote:
>
>     HIVE-78 is what we all are waiting for :)
>
>     The hack you suggest below should be a valid interim solution,
>     just make sure the read-only clients have their own hive-site.xml
>     with the proper user/pass for the read only account, e.g.
>
>     <property>
>     <name>javax.jdo.option.ConnectionUserName</name>
>     <value>read-only-user</value>
>     </property>
>
>     <property>
>     <name>javax.jdo.option.ConnectionPassword</name>
>     <value>xxxxx</value>
>     </property>
>
>     see this for more details:
>
>     http://wiki.apache.org/hadoop/Hive/AdminManual/MetastoreAdmin
>
>     -- amr
>
>
>     On 1/13/2010 10:49 PM, Oscar Gothberg wrote:
>
>         Hi,
>
>         is there a way to set up users with read-only users in Hive,
>         so that I can have one user with write privileges that runs
>         ETL and updates the warehouse, adds partitions, etc, and one
>         or more 'read-only' users that would be able to execute
>         SELECTs, etc, but not DDL type statements?
>
>         I'd be interested how others out there solve having separation
>         between producers that feed and update the data warehouse one
>         one hand, and the consumers on the other.
>
>         From what I understand Hive doesn't have a lot of multiuser
>         support yet (as described in HIVE-78 etc). Maybe one
>         possibility could be to have 'read-only' users use a different
>         account in the mysql metastore without write privileges, and
>         have any DDL statements from such users fail due to metastore
>         errors, but hopefully there's a cleaner way?
>
>         Thanks,
>         / Oscar
>
>

Ah, you're right.

I assumed that Hive would not let the operation go through unless the user
had proper privileges in both the warehouse and the metastore, but trying it
out just now you're absolutely right.

Thanks for the heads-up.

/ Oscar

On Thu, Jan 21, 2010 at 1:22 AM, Amr Awadallah <[EMAIL PROTECTED]> wrote:

>  Though that will protect the files, it won't protect the schema (e.g. the
> read-only users will still be able to drop the table).
>
> -- amr
>
>
> On 1/20/2010 9:29 PM, Oscar Gothberg wrote:
>
> Thanks!
>
> I realized this could also be managed, albeit still clumsily, through
> user/group read/write permissions for the Hive warehouse directory.
>
> / Oscar
>
> On Tue, Jan 19, 2010 at 11:40 PM, Amr Awadallah <[EMAIL PROTECTED]> wrote:
>
>> HIVE-78 is what we all are waiting for :)
>>
>> The hack you suggest below should be a valid interim solution, just make
>> sure the read-only clients have their own hive-site.xml with the proper
>> user/pass for the read only account, e.g.
>>
>> <property>
>> <name>javax.jdo.option.ConnectionUserName</name>
>> <value>read-only-user</value>
>> </property>
>>
>> <property>
>> <name>javax.jdo.option.ConnectionPassword</name>
>> <value>xxxxx</value>
>> </property>
>>
>> see this for more details:
>>
>> http://wiki.apache.org/hadoop/Hive/AdminManual/MetastoreAdmin
>>
>> -- amr
>>
>>
>> On 1/13/2010 10:49 PM, Oscar Gothberg wrote:
>>
>>> Hi,
>>>
>>> is there a way to set up users with read-only users in Hive, so that I
>>> can have one user with write privileges that runs ETL and updates the
>>> warehouse, adds partitions, etc, and one or more 'read-only' users that
>>> would be able to execute SELECTs, etc, but not DDL type statements?
>>>
>>> I'd be interested how others out there solve having separation between
>>> producers that feed and update the data warehouse one one hand, and the
>>> consumers on the other.
>>>
>>> From what I understand Hive doesn't have a lot of multiuser support yet
>>> (as described in HIVE-78 etc). Maybe one possibility could be to have
>>> 'read-only' users use a different account in the mysql metastore without
>>> write privileges, and have any DDL statements from such users fail due to
>>> metastore errors, but hopefully there's a cleaner way?
>>>
>>> Thanks,
>>> / Oscar
>>>
>>
>