Dear Wiki user, You have subscribed to a wiki page or wiki category on "Hadoop Wiki" for change notification.
The "Hive/LanguageManual/Auth" page has been changed by JonathanNatkins. http://wiki.apache.org/hadoop/Hive/LanguageManual/Auth?action=diff&rev1=1&rev2=2 -------------------------------------------------- == Users, Groups, and Roles == At the core of Hive's authorization system are users, groups, and roles. Roles allow administrators to give a name to a set of grants which can be easily reused. A role may be assigned to users, groups, and other roles. For example, consider a system with the following users and groups: - (User: Groups) + * <User>: <Groups> - user_all_dbs: group_db1, group_db2 + * user_all_dbs: group_db1, group_db2 - user_db1: group_db1 + * user_db1: group_db1 - user_db2: group_db2 + * user_db2: group_db2 If we wanted to restrict each user to a specific set of databases, we could use roles to build the authorization mechanism. The administrator would create two roles, called role_db1 and role_db2. The role_db1 role would provide privileges just for the first database, and the role_db2 role would provide privileges just for the second database. The administrator could then grant the role_db1 role to group_db1, or explicitly for the users in the group, and do the same for role_db2 with the users of the second database. In order to allow users who need to see all databases to get their appropriate privileges, a third role could be created called role_all_dbs, which would be granted role_db1 and role_db2. When user_all_dbs is granted the role_all_dbs role, the user implicitly is granted all the privileges of role_db1 and role_db2. Hive roles must be created manually before being used, unlike users and groups. Users and groups are managed by the hive.security.authenticator.manager. When a user connects to a Metastore Server and issues a query, the Metastore will determine the username of the connecting user, and the groups associated with that ushive.security.authorization.ername. That information is then used to determine if the user should have access to the metadata being requested, by comparing the required privileges of the Hive operation to the user privileges using the following rules: - 1. User privileges (Has the privilege been granted to the user) + * User privileges (Has the privilege been granted to the user) - 2. Group privileges (Does the user belong to any groups that the privilege has been granted to) + * Group privileges (Does the user belong to any groups that the privilege has been granted to) - 3. Role privileges (Does the user or any of the groups that the user belongs to have a role that grants the privilege) + * Role privileges (Does the user or any of the groups that the user belongs to have a role that grants the privilege) By default, the Metastore uses the HadoopDefaultAuthenticator for determing user -> group mappings, which determines authorization by using the Unix usernames and groups on the machine where the Metastore is running. To make this more clear, consider a scenario where a user foo is a member of group bar on the machine running the Hive CLI, and connects to a Metastore running on a separate server that also has a user named foo, but on the Metastore Server, foo is a member of group baz. When an operation is executed, the Metastore will determine foo to be in the group baz.
