If the hive.server2.enable.doAs parameter is set to false, then the underlying jobs in HDFS are run as "hive" user. This is a better security model as the underlying HDFS file permissions can be set to be owned only by "hive" user and end user would not be able to access files directly without going through Hiveserver2
On Wed, Apr 1, 2015 at 2:19 AM, Hanish Bansal <[email protected]> wrote: > Yes I am using beeline client for testing purpose and hiveserver2 jdbc > client. > > > Still I have confusion about "hive.server2.enable.doAs" property- > > > As per wiki documentation ( > https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2): > > By default HiveServer2 performs the query processing as the user who > submitted the query. But if the following parameter is set to false, the > query will run as the user that the hiveserver2 process runs as. > > hive.server2.enable.doAs – Impersonate the connected user, default true. > > > As per my understanding if this property is set to false, all queries > will run as the user who started hiveserver2 process. so we should set > "true" value for this property to run the query as user who submitted the > query. > > > Please let me know your thoughts on this. > > > ------- > > *Thanks & Regards, Hanish Bansal* > Software Engineer, iLabs > Impetus Infotech Pvt. Ltd. > (O) : +91.120.4092200-2790 > (M) : +91.9953399925 > ------------------------------ > *From:* Don Bosco Durai <[email protected]> on behalf of Don Bosco > Durai <[email protected]> > *Sent:* Tuesday, March 31, 2015 10:20 PM > *To:* [email protected] > *Subject:* Re: Hive admin user behavior > > Yes, if you are using Ranger, then you have to set appropriate > permissions on Ranger. It helps in plugging any backdoor loop holes. > > I am also assuming you are using beeline client or JDBC. > > One more thing, we recommend hive.server2.enable.doAs=false. > > Thanks > > Bosco > > > From: Hanish Bansal <[email protected]> > Reply-To: "[email protected]" < > [email protected]> > Date: Tuesday, March 31, 2015 at 4:35 AM > To: "[email protected]" <[email protected]> > Subject: Hive admin user behavior > > Hi All, > > > When deploying hive, I have defined below configuration for hiveserver2 > in configuration file "hive-site.xml": > > > <property> > <name>hive.server2.enable.doAs</name> > <value>true</value> > </property> > <property> > <name>hive.users.in.admin.role</name> > <value>hanish</value> > </property> > > <property> > <name>hive.security.authorization.manager</name> > > <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value> > </property> > <property> > <name>hive.security.authorization.enabled</name> > <value>true</value> > </property> > <property> > <name>hive.security.authenticator.manager</name> > > <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value> > </property> > > <property> > <name>hive.security.authorization.enabled</name> > <value>true</value> > </property> > > > I have added "hanish" user to admin user list (Property- > hive.users.in.admin.role ) so it should be able to fetch schema of all > tables. But i am getting permission denied error. > > I want one user to define as admin user who can fetch schema of all > tables. If I give admin permissions or select permissions from ranger-UI to > a user for databases=* and tables = * then its working fine and that user > is able to fetch schema for all tables. But as per hive configurations if > user is defined as admin by mentioning " hive.users.in.admin.role" then > that user is not behaving as admin. > > Please let me know the expected behavior. > > Is Ranger overrides behavior of hive property " hive.users.in.admin.role" > ?? > > > > ------- > > *Thanks & Regards, Hanish Bansal* > Software Engineer, iLabs > Impetus Infotech Pvt. Ltd. > (O) : +91.120.4092200-2790 > (M) : +91.9953399925 > > ------------------------------ > > > > > > > NOTE: This message may contain information that is confidential, > proprietary, privileged or otherwise protected by law. The message is > intended solely for the named addressee. If received in error, please > destroy and notify the sender. Any use of this email is prohibited when > received in error. Impetus does not represent, warrant and/or guarantee, > that the integrity of this communication has been maintained nor that the > communication is free of errors, virus, interception or interference. > > > ------------------------------ > > > > > > > NOTE: This message may contain information that is confidential, > proprietary, privileged or otherwise protected by law. The message is > intended solely for the named addressee. If received in error, please > destroy and notify the sender. Any use of this email is prohibited when > received in error. Impetus does not represent, warrant and/or guarantee, > that the integrity of this communication has been maintained nor that the > communication is free of errors, virus, interception or interference. >
