Configure Hive Metastore to use Storage-Based Authorization

You can enable storage-based authorization (SBA) for the Hive Metastore server.

Storage-based authorization controls access to the data using HDFS permissions (HDFS ACL). To control metadata access on the metadata objects, such as Databases, Tables, and Partitions, it checks if you have permission on the corresponding directories on the filesystem.

To enable storage-based authorization for the Hive Metastore server, set these properties in hive-site.xml:

Property	Value	Description
`hive.metastore.pre.event.listeners`	`org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener*`	Turns on Metastore security. A MetaStorePreEventListener that performs authorization or authentication checks on the metastore side. Note that this can only perform authorizaiton checks on defined metastore PreEventContexts, such as the adding, dropping, and altering of databases, tables, and partitions.
`hive.security.metastore.authorization.manager`	`org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider*` NOTE The `StorageBasedAuthorizationProvider` setting first appeared, on the Metastore side only, in Hive 0.10.0. With Hive 0.12.0 and later, it can also run on the client side. NOTE Starting from EEP 6.1.0, `hive.security.metastore.authorization.manager` is set to the `StorageBasedAuthorizationProvider` value by default.	`StorageBasedAuthorizationProvider` - Specifies use of an HDFS permission-based model (recommended) for the Metastore-side authorization provider. `DefaultHiveMetastoreAuthorizationProvider` - This default implements the standard Hive grant/revoke model.
`hive.security.metastore.authenticator.manager`	`org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator` (default)	Authentication manager class name to be used in the metastore for authentication. The user-defined authenticator should implement the `org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider` interface.
`hive.security.metastore.authorization.auth.reads`	true (default)	Default value (does not appear in hive-site.xml file). Set to `true`, Metastore authorization also performs a read authorization check (first supported in Hive 0.14.0).
`hive.server2.enable.doAs`	`true` (default)	Use for protected access through HiveServer2.

* In secure clusters, the MapR "Secure-by-Default" configuration implicitly configures these properties in the hive-site.xml file.

SBA configuration example in hive-site.xml File

<property>
    <name>hive.security.metastore.authorization.manager</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
 </property>

<property>
    <name>hive.security.metastore.authenticator.manager</name>
    <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
    </value> 
</property>

<property>
    <name>hive.security.metastore.authorization.auth.reads</name>
    <value>true</value> 
</property>

<property>
    <name>hive.server2.enable.doAs</name>
    <value>true</value> 
</property>

<property>
    <name>hive.metastore.pre.event.listeners</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value> 
</property>

If you use storage-based authorization, you still need to use one of the following authorization models to protect actions within the HiveServer2: