Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hive, mail # user - hive permissions issue on a database


Copy link to this message
-
Re: hive permissions issue on a database
Sriram Krishnan 2012-10-02, 04:21
In general, Hive authorization is not very secure, as is documented on the wiki: https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization.

You are likely running into this issue: https://issues.apache.org/jira/browse/HIVE-2538. Try this as user demo2: "use demo1db; drop table table1". That should fail – at least as per my tests. Also, do you enable drop privileges to all users in your default database? If so, you may want to revoke that – and that will prevent users from dropping tables while they are in the default database. However, it is not going to be fool-proof because users can always run a command such as "use my_db; drop table other_db.foo".

As for show tables, are you saying that tables created by one user is not shown to another? Or the same user?

Sriram

From: Rahul Sarma <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>>
Reply-To: <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>>
Date: Mon, 1 Oct 2012 20:58:31 -0700
To: <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>>
Subject: Re: hive permissions issue on a database

Hi Bejoy,

Thanks for your help. Is there any other way to meet this requirement? How about giving it at the table level?
Also can you share some thoughts on why my "show tables" command doesn't show me the tables created by the user?

Regards,
Rahul Sarma
On Mon, Oct 1, 2012 at 8:01 PM, Bejoy KS <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote:
Hi Rahul

Hive currently have this limitation. You can have permissions on hdfs but not on the metastore. So as a result any user can drop any table in hive. I have seen such discussions popping up before as well since it a genuine requirement you can expect permissions on metastore level in future versions of hive.
Regards
Bejoy KS

Sent from handheld, please excuse typos.
________________________________
From: Rahul Sarma <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>>
Date: Mon, 1 Oct 2012 11:50:19 -0700
To: <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>>
ReplyTo: [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>
Subject: hive permissions issue on a database
I have a Hadoop cluster running CDH4 version. I am having issues giving privileges to users on hive. My requirement is for each linux user I need to create a database on hive and give access to only that user(or group). So other users should not be able to see those tables or do anything with them. I already have separate folders in HDFS for each user with selective permissions. Here is what I have done:

  *   My Hive is connected to oracle 11g as its metastore. The tables are all created.

  *   Modify /etc/hive/conf/hive-site.xml and make set "hive.security.authorization.enabled" = true. Also "hive.security.authorization.createtable.owner.grants" = All.

  *   Created Linux users demo1 & demo2 with same group name i.e. demo1 & demo2 Logged in hive prompt as root, and created 2 databases demo1db & demo2db.

  *   Created 2 roles, demo1_role & demo2_role Assigned the groups to the role i.e. demo1 group belongs to demo1_role & demo2 group belongs to demo2_role.

  *   Grant "All" to demo1db to demo1_role and demo2db to demo2_role

  *   Login as demo1 and get into the hive prompt. Create table demo1db.table1.

  *   Login as demo2 and get into hive prompt. Drop table demo1db.table1. And it allows to drop !!!!.Though it cannot delete the associated data in HDFS as demo2 does not have access to the folder that demo1 controls. The table is dropped from metastore. The same happens when I create table with demo2 user and demo1 is able to drop it.

What have I done wrong? Also I noticed that when I do "show tables;" under demo1, it does not show anything?

Any suggestions?

Regards,
Rahul Sarma