scenario: in cluster run hadoop mapreduce and hive. one system run hadoop (
ref here) and client run hive (ref here) to run jobs on hadoop.
you have many users access to run hadoop and also have many database tables blah blah.
How to control authorization of each hive' user.?
ok we start.
From picture above we can see two places we can apply security strategy : RDBMS store metadata and HDFS store real Data of table. In this section I will apply security at RDBMS.
In our mysql databases we already created metastore database (ref to previous tut ) now from log in to mysql using root privileges create user hive with select only to metastore database:
mysql>CREATE USER 'hivetest'@'localhost' IDENTIFIED BY 'mypass';
mysql>use metastore;
mysql>grant select on * to user hivetest;
now we use 'hivetest' and 'mypass' in hive-site.xml at client:
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration>
<property>
<name>javax.jdo.option.ConnectionURL</name>
<value>jdbc:mysql://localhost:3306/metastore</value>
<description>the URL of the MySQL database</description>
</property>
<property>
<name>hive.metastore.warehouse.dir</name>
<value>/user/hive/warehouse</value>
</property>
<property>
<name>javax.jdo.option.ConnectionDriverName</name>
<value>com.mysql.jdbc.Driver</value>
</property>
<property>
<name>javax.jdo.option.ConnectionUserName</name>
<value>hivetest</value>
</property>
<property>
<name>javax.jdo.option.ConnectionPassword</name>
<value>mypass</value>
</property>
</configuration>
log in to hive as previous tut create table :
hive> create table tbl_1(a int);
switch to client:
hive> select * from tbl_1;// can't select error comes.
back to super user:
hive> grant select on table tbl_1 to user hivetest;
switch to client: now you can select tbl_1 as normal. and this user can only do something granted from super user.
how to setup:
from your system create new user beside your current user(super user ):hivetest (no need to same user name with mysql user above.) we can log in to these users by ctrl + alt + F1 ; ctrl+alt+F2 for each user.
This is called hive authorization at metastore level. :)
DOne.
see ya.