启动权限,hive默认是禁止的。
Configuration
For Hive 0.13.x
Set the following in hive-site.xml:
-
hive.server2.enable.doAs to false.
-
hive.users.in.admin.role to the list of comma-separated users who need to be added to admin role. Note that a user who belongs to the admin role needs to run the "
set role" command before getting the privileges of the admin role, as this role is not in current roles by default.
Start HiveServer2 with the following additional command-line options:
-
-hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
-
-hiveconf hive.security.authorization.enabled=true
-
-hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator
-
-hiveconf hive.metastore.uris=' '
For Hive 0.14 and Newer
Set the following in hive-site.xml:
-
hive.server2.enable.doAs to false.
-
hive.users.in.admin.role to the list of comma-separated users who need to be added to admin role. Note that a user who belongs to the admin role needs to run the "
set role" command before getting the privileges of the admin role, as this role is not in current roles by default. -
Add org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly to hive.security.metastore.authorization.manager. (It takes a comma separated list, so you can add it along with StorageBasedAuthorization parameter, if you want to enable that as well).
This setting disallows any of the authorization api calls to be invoked in a remote metastore. HiveServer2 can be configured to use embedded metastore, and that will allow it to invoke metastore authorization api. Hive cli and any other remote metastore users would be denied authorization when they try to make authorization api calls. This restricts the authorization api to privileged HiveServer2 process. You should also ensure that the metastore rdbms access is restricted to the metastore server and hiverserver2. -
hive.security.authorization.manager to org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory. This will ensure that any table or views created by hive-cli have default privileges granted for the owner.
Set the following in hiveserver2-site.xml:
-
-hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
-
-hiveconf hive.security.authorization.enabled=true
-
-hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator
-
-hiveconf hive.metastore.uris=' '
角色管理:
说明:默认hive有public和admin角色,hive.users.in.admin.role 中指定的用户为admin角色,多个用户以逗号分隔。
1、SET ROLE (role_name|ALL|NONE);
一个用户可以有多个用户组,SET ROLE命令会把当前用户切换到指定的角色组。
