Hive currently have this limitation. You can have permissions on hdfs but not on the metastore. So as a result any user can drop any table in hive. I have seen such discussions popping up before as well since it a genuine requirement you can expect permissions on metastore level in future versions of hive.
Sent from handheld, please excuse typos.
From: Rahul Sarma <[EMAIL PROTECTED]>
Date: Mon, 1 Oct 2012 11:50:19
To: <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: hive permissions issue on a database
I have a Hadoop cluster running CDH4 version. I am having issues giving
privileges to users on hive. My requirement is for each linux user I need
to create a database on hive and give access to only that user(or group).
So other users should not be able to see those tables or do anything with
them. I already have separate folders in HDFS for each user with selective
permissions. Here is what I have done:
My Hive is connected to oracle 11g as its metastore. The tables are all
Modify /etc/hive/conf/hive-site.xml and make set
"hive.security.authorization.enabled" = true. Also
"hive.security.authorization.createtable.owner.grants" = All.
Created Linux users demo1 & demo2 with same group name i.e. demo1 &
demo2 Logged in hive prompt as root, and created 2 databases demo1db &
Created 2 roles, demo1_role & demo2_role Assigned the groups to the role
i.e. demo1 group belongs to demo1_role & demo2 group belongs to demo2_role.
Grant "All" to demo1db to demo1_role and demo2db to demo2_role
Login as demo1 and get into the hive prompt. Create table demo1db.table1.
Login as demo2 and get into hive prompt. Drop table demo1db.table1. *And
it allows to drop !!!!.*Though it cannot delete the associated data in
HDFS as demo2 does not have access to the folder that demo1 controls. The
table is dropped from metastore. The same happens when I create table with
demo2 user and demo1 is able to drop it.
What have I done wrong? Also I noticed that when I do "show tables;" under
demo1, it does not show anything?