Skip to main content

How to enable SQL Standard-Based Authorization in Hive

How to enable SQL Standard-Based Authorization in Hive

Env: Hive 0.13

Reference:
SQL Standard Based Hive Authorization
1. Set below parameters in hive-site.xml

<property>
    <name>hive.server2.enable.doAs</name>
    <value>false</value>
</property>

<property>
    <name>hive.users.in.admin.role</name>
    <value>mapr</value>
</property>

<property>
    <name>hive.security.authorization.manager</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
</property>

<property>
    <name>hive.security.authorization.enabled</name>
    <value>true</value>
</property>

<property>
    <name>hive.security.authenticator.manager</name>
    <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
</property>

2. [Important] Before restarting HiveServer2, firstly grant admin role to the user in Beeline.

grant admin to user mapr;
This is to make sure the specified admin user has the admin role.
If we ignore this step in Hive 0.13, then later we can not set the role to admin even if the user is specified in  hive.users.in.admin.role.
For example:

0: jdbc:hive2://xxx:10000/default> set hive.users.in.admin.role;
+----------------------------------------------+
|                     set                      |
+----------------------------------------------+
| hive.users.in.admin.role=mapr                |
+----------------------------------------------+
1 row selected (0.05 seconds)

0: jdbc:hive2://xxx:10000/default> set role admin;   
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. mapr doesn't belong to role admin (state=08S01,code=1)

3. Start HiveServer2 with the following additional command-line options.

-hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
-hiveconf hive.security.authorization.enabled=true
-hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator

4.  Test admin role.

0: jdbc:hive2://xxx:xxx/default> set role admin;                                         
No rows affected (0.824 seconds)
0: jdbc:hive2://xxx:xxx/default> show current roles;
+--------+
|  role  |
+--------+
| admin  |
|        |
+--------+
2 rows selected (0.391 seconds)

Comments

Post a Comment

Popular posts from this blog

Minus query in HIVE

It does not appear that HQL supports the MINUS operator What you want to do can be done with a LEFT JOIN or NOT EXISTS: SELECT x FROM abc LEFT JOIN bcd ON abc.x = bcd.x WHERE bcd.x IS NULL EDIT: Per comments below, NOT EXISTS is not supported. SELECT x FROM abc WHERE NOT EXISTS (SELECT x FROM bcd)
1 comment
Read more

INCREMENTAL UPDATES IN HIVE TABLES

  In this blog I will focus on  Incremental load OR updating the exiting records and inserting new record  and  dynamic partition table loading . In BI world delta load/incremental load is very common activity.       We can implement the same on HIVE table using below steps. In a relation database we will perform updating the exiting records using unique index/primary key, but in Hive we have to do it in different way.  There are many ways to do it, let us see how we can do it using below steps. I am assuming that you have data in HDFS which will be updating hourly/daily from your sqoop/flume/kafka. Design consideration:   I am assuming that good temp space is maintained according to your data volume, so that we not facing temp space issue during the process. I am assuming that you have ingestion logic set to in your code for full load and incremental loads and data is available in HDFS.  Partition column value s...
3 comments
Read more

Remove or Replace unwanted simple like space, $ and comma (,) from hive data

hive -e 'select regexp_replace("$60,825.48","\\$|\,","");' OK 60825.48 Time taken: 3.912 seconds, Fetched: 1 row(s) hive -e 'select regexp_replace("$60,825.48","[^0-9.]","");' 60825.48 Time taken: 2.249 seconds, Fetched: 1 row(s) substring from a string using the TRANSLATE function to replace the substring with the empty string. For your query it would become this: drop table vp_hiphop; create table vp_hiphop as select userid, ntext,        regexp_replace(regexp_replace(ntext, 'hip hop', 'hiphop'), 'rock music', 'rockmusic') as ntext1 from  vp_nlp_protext_males; drop table vp_hiphop; create table vp_hiphop as select  userid, ntext,         translate(ntext, ' ', '') as ntext1 from  vp_nlp_protext_males;
Post a Comment
Read more