SQL Standard-Based Authorization with GRANT and REVOKE SQL Statements
Secure SQL standard-based authorization using the GRANT and
REVOKE SQL statements is supported in Hive 0.13 and later. Hive
provides three authorization models: SQL standard-based authorization, storage-based
authorization, and default Hive authorization. In addition, Ranger provides centralized
management of authorization for all HDP components. Use the following procedure to
manually enable standard SQL authorization:
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
This procedure is unnecessary if your Hive administrator installed Hive using Ambari. |
Set the following configuration parameters in the
hive-site.xmlfile:Table 2.5. Configuration Parameters for Standard SQL Authorization
Configuration Parameter
Required Value
hive.server2.enable.doAsfalsehive.users.in.admin.roleComma-separated list of users granted the administrator role.
Start HiveServer2 with the following command-line options:
Table 2.6. HiveServer2 Command-Line Options
Command-Line Option Required Value -hiveconf hive.security.authorization.managerorg.apache.hadoop.hive.ql.security. authorization. MetaStoreAuthzAPIAuthorizerEmbedOnly-hiveconf hive.security.authorization.enabledtrue-hiveconf hive.security.authenticator.managerorg.apache.hadoop.hive.ql.security. SessionStateUserAuthenticator-hiveconf hive.metastore.uris''(a space inside single quotation marks)
| Note |
|---|---|
Administrators must also specify a storage-based authorization manager for Hadoop
clusters that also use storage-based authorization. The
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider, org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly |