One setting was missing: hive.metastore.authorization.storage.checks true
This solves the problem -----Original Message----- From: Shunichi Otsuka [mailto:sots...@yahoo-corp.jp] Sent: Thursday, July 04, 2013 2:28 PM To: user@hive.apache.org Subject: metastore security issue I am trying to setup hive securely doing authorization at the metastore. However there is a problem. I have relied on hive JIRA HIVE-3705 to decide the configuration which were set as below: javax.jdo.option.ConnectionURL jdbc javax.jdo.option.ConnectionDriverName java.database.jdbc.mysql javax.jdo.option.ConnectionUserName hive javax.jdo.option.ConnectionPassword userpass hive.metastore.execute.setugi true hive.metastore.uris thrift://thriftserver.example.com:9083 hive.metastore.sasl.enabled true hive.metastore.kerberos.keytab.file /etc/grid-keytabs/hive.keytab hive.metastore.kerberos.principal hive/thriftserver.example....@example.com hive.security.metastore.authorization.enabled true hive.security.metastore.authenticator.manager org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator hive.security.metastore.authorization.manager org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider hive.security.authorization.enabled false However this does authorize an unauthorized user to drop a table or database from the metastore as below: alice> create database db1 location '/user/alice/warehouse/db1.db'; [The permission of db1.db is drwx------ alice:users] However, bob> drop database db1; OK This should not happen, so why is it happening? Is my setting wrong or is it that the code has not covered this case? If it is that it has not been implemented yet, what measures have you taken to avoid malicious users from dropping other users' database/tables? Java version is 1.6.0_33 hive version is 0.11 Thanks
