[Hive - LanguageManual] Hive Default Authorization - Legacy Mode

This document describes Hive security using the basic authorization scheme, which regulates access to Hive metadata on the client side.

Disclaimer

Hive authorization is not completely secure. The basic authorization scheme is intended primarily to prevent good users from accidentally doing bad things, but makes no promises about preventing malicious users from doing malicious things.  See the Hive authorization main page for the secure options.

只能防止正常用户不做傻事,不能防止恶意着作恶事。

Prerequisites 先决条件

In order to use Hive authorization, there are two parameters that should be set in hive-site.xml:

配置两个参数:

<property>
  <name>hive.security.authorization.enabled</name>
  <value>true</value>
  <description>enable or disable the hive client authorization</description>
</property>

<property>
  <name>hive.security.authorization.createtable.owner.grants</name>
  <value>ALL</value>
  <description>the privileges automatically granted to the owner whenever a table gets created.
   An example like "select,drop" will grant select and drop privilege to the owner of the table</description>
</property>

Note that, by default, the hive.security.authorization.createtable.owner.grants are set to null, which would result in the creator of a table having no access to the table.

Users, Groups, and Roles

At the core of Hive‘s authorization system are users, groups, and roles. Roles allow administrators to give a name to a set of grants which can be easily reused. A role may be assigned to users, groups, and other roles. For example, consider a system with the following users and groups:

  • <User>: <Groups>
  • user_all_dbs: group_db1, group_db2
  • user_db1: group_db1
  • user_db2: group_db2

If we wanted to restrict each user to a specific set of databases, we could use roles to build the authorization mechanism(机制). The administrator would create two roles, called role_db1 and role_db2. The role_db1 role would provide privileges just for the first database, and the role_db2 role would provide privileges just for the second database. The administrator could then grant the role_db1 role to group_db1, or explicitly for the users in the group, and do the same for role_db2 with the users of the second database. In order to allow users who need to see all databases to get their appropriate privileges, a third role could be created called role_all_dbs, which would be granted role_db1 and role_db2. When user_all_dbs is granted the role_all_dbs role, the user implicitly is granted all the privileges of role_db1 and role_db2.

Hive roles must be created manually before being used(使用前必须手动创建), unlike users and groups. Users and groups are managed by the hive.security.authenticator.manager. When a user connects to a Metastore Server and issues a query, the Metastore will determine the username of the connecting user, and the groups associated with that ushive.security.authorization.ername. That information is then used to determine if the user should have access to the metadata being requested, by comparing the required privileges of the Hive operation to the user privileges using the following rules:

  • User privileges (Has the privilege been granted to the user)
  • Group privileges (Does the user belong to any groups that the privilege has been granted to)
  • Role privileges (Does the user or any of the groups that the user belongs to have a role that grants the privilege)

By default, the Metastore uses the HadoopDefaultAuthenticator for determing user -> group mappings, which determines authorization by using the Unix usernames and groups on the machine where the Metastore is running. To make this more clear, consider a scenario where a user foo is a member of group bar on the machine running the Hive CLI, and connects to a Metastore running on a separate server that also has a user named foo, but on the Metastore Server, foo is a member of group baz. When an operation is executed, the Metastore will determine foo to be in the group baz.

Taking this a step further, it is also possible for the groups that a user belongs to on the Metastore Server may differ from the groups that the same user belongs to, as determined by HDFS. This could be the case if Hive or HDFS are configured to use non-default user -> group mappers, or the Metastore and the Namenode both use the defaults, but the processes are running on different machines, and the user -> group mappings are not the same on each machine.

元数据的权限和HDFS文件系统的权限需要同步!

It is important to realize that Hive Metastore only controls authorization for metadata, and the underlying data is controlled by HDFS, so if permissions and privileges between the two systems are not in sync, users may have access to metadata, but not the physical data. If the user -> group mappings across the Metastore and Namenode are not in sync, as in the scenarios above, a user may have the privileges required to access a table according to the Metastore, but may not have permission to access the underlying files according to the Namenode. This could also happen due to administrator intervention, if permissions on the files were changed by hand, but Metastore grants had not been updated.

Names of Users and Roles

Role names are case sensitive. In Hive 0.13, however, there was a bug that caused it to have case insensitive behavior. That issue has been fixed in Hive 0.14.

User names are also case sensitive. Unlike role names, user names are not managed within Hive.

Quoted Identifiers in Version 0.13.0+

Icon

As of Hive 0.13.0, user and role names may optionally be surrounded by backtick characters (`) when the configuration parameter hive.support.quoted.identifiers is set to column (default value). All Unicode characters are permitted in the quoted identifiers, with double backticks (``) representing a backtick character. However when hive.support.quoted.identifiers is set to none, or in Hive 0.12.0 and earlier, only alphanumeric and underscore characters are permitted in user names and role names.

For details, see HIVE-6013 and Supporting Quoted Identifiers in Column Names.

As of Hive 0.14, user may be optionally surrounded by backtick characters (`) irrespective of the hive.support.quoted.identifiers setting.

Creating/Dropping/Using Roles

Create/Drop Role

CREATE ROLE role_name

DROP ROLE role_name

Grant/Revoke Roles

GRANT ROLE role_name [, role_name] ...
TO principal_specification [, principal_specification] ...
[WITH ADMIN OPTION]

REVOKE [ADMIN OPTION FOR] ROLE role_name [, role_name] ...
FROM principal_specification [, principal_specification] ...

principal_specification:
    USER user
  | GROUP group
  | ROLE role

Version

Icon

GRANT ROLE added the optional WITH ADMIN OPTION clause in Hive 0.13.0 (HIVE-5923).

REVOKE ROLE will add the optional ADMIN OPTION FOR clause in Hive 0.14.0 (HIVE-6252).

Viewing Granted Roles

SHOW ROLE GRANT principal_specification
 
principal_specification:
    USER user
  | GROUP group
  | ROLE role

Version

Icon

The output of SHOW ROLE GRANT is in tabular format starting with Hive 0.13.0 (HIVE-6204).

Privileges

The following privileges are supported in Hive:

  • ALL - Gives users all privileges
  • ALTER - Allows users to modify the metadata of an object
  • UPDATE - Allows users to modify the physical data of an object
  • CREATE - Allows users to create objects. For a database, this means users can create tables, and for a table, this means users can create partitions
  • DROP - Allows users to drop objects
  • INDEX - Allows users to create indexes on an object (Note: this is not currently implemented)
  • LOCK - Allows users to lock or unlock tables when concurrency is enabled
  • SELECT - Allows users to access data for objects
  • SHOW_DATABASE - Allows users to view available databases

Grant/Revoke Privileges

GRANT
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    [ON object_specification]
    TO principal_specification [, principal_specification] ...
    [WITH GRANT OPTION]

REVOKE [GRANT OPTION FOR]
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    [ON object_specification]
    FROM principal_specification [, principal_specification] ...

REVOKE ALL PRIVILEGES, GRANT OPTION
    FROM user [, user] ...

priv_type:
    ALL | ALTER | UPDATE | CREATE | DROP
  | INDEX | LOCK | SELECT | SHOW_DATABASE
 
object_specification:
    TABLE tbl_name
  | DATABASE db_name
 
principal_specification:
    USER user
  | GROUP group
  | ROLE role

Version

Icon

REVOKE priv_type will add the optional GRANT OPTION FOR clause in Hive 0.14.0 (HIVE-7404).

Viewing Granted Privileges

SHOW GRANT principal_specification
[ON object_specification [(column_list)]]
 
principal_specification:
    USER user
  | GROUP group
  | ROLE role
 
object_specification:
    TABLE tbl_name
  | DATABASE db_name

Version

Icon

The output of SHOW GRANT is in tabular format starting with Hive 0.13.0 (HIVE-6204).

Hive Operations and Required Privileges

As of the release of Hive 0.7, only these operations require permissions, according to org.apache.hadoop.hive.ql.plan.HiveOperation:


Operation


ALTER


UPDATE


CREATE


DROP


INDEX


LOCK


SELECT


SHOW_DATABASE


LOAD


X


EXPORT


X


IMPORT


X


X


CREATE TABLE


X


CREATE TABLE AS SELECT


X


X


DROP TABLE


X


SELECT


X


ALTER TABLE ADD COLUMN


X


ALTER TABLE REPLACE COLUMN


X


ALTER TABLE RENAME


X


ALTER TABLE ADD PARTITION


X


ALTER TABLE DROP PARTITION


X


ALTER TABLE ARCHIVE


X


ALTER TABLE UNARCHIVE


X


ALTER TABLE SET PROPERTIES


X


ALTER TABLE SET SERDE


X


ALTER TABLE SET SERDE


X


ALTER TABLE SET SERDEPROPERTIES


X


ALTER TABLE CLUSTER BY


X


ALTER TABLE PROTECT MODE


X


ALTER PARTITION PROTECT MODE


X


ALTER TABLE SET FILEFORMAT


X


ALTER PARTITION SET FILEFORMAT


X


ALTER TABLE SET LOCATION


X


ALTER PARTITION SET LOCATION


X


ALTER TABLE CONCATENATE


X


ALTER PARTITION CONCATENATE


X


SHOW DATABASES


X


LOCK TABLE


X


UNLOCK TABLE


X

时间: 2024-11-06 20:47:51

[Hive - LanguageManual] Hive Default Authorization - Legacy Mode的相关文章

[Hive - LanguageManual] Hive Concurrency Model (待)

Hive Concurrency Model Hive Concurrency Model Use Cases Turn Off Concurrency Debugging Configuration Locking in Hive Transactions Use Cases Concurrency support (http://issues.apache.org/jira/browse/HIVE-1293) is a must in databases and their use case

[Hive - LanguageManual] Hive Data Manipulation Language

LanguageManual DML Hive Data Manipulation Language Hive Data Manipulation Language Loading files into tables Syntax Synopsis Notes Inserting data into Hive Tables from queries Syntax Synopsis Notes Dynamic Partition Inserts Example Additional Documen

[Hive - LanguageManual] Create/Drop/Grant/Revoke Roles and Privileges / Show Use

Create/Drop/Grant/Revoke Roles and Privileges Hive Default Authorization - Legacy Mode has information about these DDL statements: CREATE ROLE GRANT ROLE REVOKE ROLE GRANT privilege_type REVOKE privilege_type DROP ROLE SHOW ROLE GRANT SHOW GRANT For 

[[Hive - LanguageManual ] ]SQL Standard Based Hive Authorization

Status of Hive Authorization before Hive 0.13 SQL Standards Based Hive Authorization (New in Hive 0.13) Restrictions on Hive Commands and Statements Privileges Objects Object Ownership Users and Roles Names of Users and Roles Role Management Commands

java.sql.SQLException: No suitable driver found for jdbc:hive://localhost:10000/default

error: java.sql.SQLException: No suitable driver found for jdbc:hive://localhost:10000/default at java.sql.DriverManager.getConnection(DriverManager.java:596) at java.sql.DriverManager.getConnection(DriverManager.java:233) at demo.utils.JDBCUtils.get

[HIve - LanguageManual] Joins

Hive Joins Hive Joins Join Syntax Examples MapJoin Restrictions Join Optimization Predicate Pushdown in Outer Joins Enhancements in Hive Version 0.11 Join Syntax Hive supports the following syntax for joining tables: join_table:     table_reference J

[Hive - LanguageManual] Archiving for File Count Reduction

Archiving for File Count Reduction Note: Archiving should be considered an advanced command due to the caveats involved. Archiving for File Count Reduction Overview Settings Usage Archive Unarchive Cautions and Limitations Under the Hood Overview Due

【hive】——Hive sql语法详解

Hive 是基于Hadoop 构建的一套数据仓库分析系统,它提供了丰富的SQL查询方式来分析存储在Hadoop 分布式文件系统中的数据,可以将结构 化的数据文件映射为一张数据库表,并提供完整的SQL查询功能,可以将SQL语句转换为MapReduce任务进行运行,通过自己的SQL 去查询分析需 要的内容,这套SQL 简称Hive SQL,使不熟悉mapreduce 的用户很方便的利用SQL 语言查询,汇总,分析数据.而mapreduce开发人员可以把 己写的mapper 和reducer 作为插件

【hive】——Hive四种数据导入方式

Hive的几种常见的数据导入方式这里介绍四种:(1).从本地文件系统中导入数据到Hive表:(2).从HDFS上导入数据到Hive表:(3).从别的表中查询出相应的数据并导入到Hive表中:(4).在创建表的时候通过从别的表中查询出相应的记录并插入到所创建的表中. 一.从本地文件系统中导入数据到Hive表 先在Hive里面创建好表,如下: hive> create table wyp > (id int, name string, > age int, tel string) >