Creating a Hive User and Binding the User to a Role

Scenario

This section describes how to create a Hive user and bind the user to a role on Manager as an MRS cluster administrator. The Hive role can be granted the permissions of the Hive administrator and the permissions to operate Hive table data.

Creating a database with Hive requires users to join in the hive group, without granting a role. Users have all permissions on the databases or tables created by themselves in Hive or HDFS. They can create tables, select, delete, insert, or update data, and grant permissions to other users to allow them to access the tables and corresponding HDFS directories and files. The created databases or tables are saved in the /user/hive/warehouse directory of the HDFS by default.

Notes and Constraints

• Hive roles can be created in scenarios where Kerberos authentication is enabled for the cluster (in security mode).
• If Ranger is used for permission control, you need to configure related permission management policies. For details, see Adding a Ranger Access Permission Policy for Hive.

Prerequisites

The MRS cluster administrator has understood service requirements.

Creating a Hive Role

Some roles are preset in the system by default. You can also create roles as required. If the preset roles meet your requirements, skip this part.

1. Log in to FusionInsight Manager. For details, see Accessing FusionInsight Manager.
2. Choose System > Permission > Role.
3. Click Create Role, and set Role Name and Description.
4. Set Configure Resource Permission.
   • Grant the read and execution permissions for the HDFS directory.
     • Click Name of the desired cluster and select HDFS for Service Name. On the displayed page, click File System, choose hdfs://hacluster/ > user, locate the row where hive is located, and select Read and Execute in the Permission column.
     • Click Name of the desired cluster and select HDFS for Service Name. On the displayed page, click File System, choose hdfs://hacluster/ > user > hive, locate the row where warehouse is located, and select Read and Execute in the Permission column.
     • Click Name of the desired cluster and select HDFS for Service Name. On the displayed page, click File System, choose hdfs://hacluster/ > tmp, locate the row where hive-scratch is located, and select Read and Execute in the Permission column.
   • Hive Admin Privilege: Hive administrator permission.
   • Hive Read Write Privileges: Hive data table management permission, which is the operation permission to set and manage the data of created tables.

   For details, see Table 1.

   • Hive role can be granted administrator permissions and permissions to access databases, tables, and views.
   • Hive administrator permissions do not include the permission to manage HDFS.
   • If there are too many tables in the database or too many files in tables, the permission granting may last a while. For example, if a table contains 10,000 files, the permission granting lasts about 2 minutes.

   Table 1 Setting a role

   Task	Role Authorization
   Setting the Hive administrator permission	In the Configure Resource Permission table, choose Name of the desired cluster > Hive and select Hive Admin Privilege. After being bound to the Hive administrator role, perform the following operations in each maintenance operation session: Log in to the node where the Hive client is installed as the client installation user. Run the following command to configure environment variables. /opt/hiveclient indicates the Hive client installation directory. source /opt/hiveclient/bigdata_env Run the following commands to authenticate the user: kinit Hive service user Run the following command to log in to the Hive client: beeline Run the following command to update the administrator permissions of the Hive user: set role admin;
   Setting the permission to query a table of another user in the default database	In the Configure Resource Permission table, choose Name of the desired cluster > Hive > Hive Read Write Privileges. Click the name of the specified database in the database list. Tables in the database are displayed. In the Rights column of the specified table, choose Select.
   Setting the permission to query a table of another user in the default database	In the Configure Resource Permission table, choose Name of the desired cluster > Hive > Hive Read Write Privileges. Click the name of the specified database in the database list. Tables in the database are displayed. In the Permission column of the specified table, select INSERT.
   Setting the permission to import data to a table of another user in the default database	In the Configure Resource Permission table, choose Name of the desired cluster > Hive > Hive Read Write Privileges. Click the name of the specified database in the database list. Tables in the database are displayed. In the Permission column of the specified indexes, select DELETE and INSERT.
   Setting the permission to submit HQL commands to Yarn for execution	For some services, the HQL commands need to be converted into MapReduce tasks and submitted to Yarn for execution. In this case, you need to set the Yarn permissions. Such HQL statements may include insert, count, distinct, group by, order by, sort by, or join. In the Permission table, choose Name of the desired cluster > Yarn > Scheduling Queue > root. In the Permission column of the default queue, select Submit.

5. Click OK and return to the Role page.

   After a role is created, users bound to the role will have the corresponding permissions.

Creating a Hive User and Binding the User to a Role

1. Log in to FusionInsight Manager.
2. Choose System > Permission > User.
3. Above the user list, click Create and set the following parameters:
   • Username: Enter a user name, for example, hiveuser.
   • User Type: Select Human-Machine.
   • Password and Confirm Password: Enter a password.
   • User Group: Click Add, select a user group, for example, hive, and click OK.
   • Primary Group: Select a primary group based on service requirements, for example, hive.
   • Role: Click Add to bind a role to the user, for example, System_administrator.

     If the preset roles do not meet the requirements, create a role by referring to Creating a Hive Role and bind the role to the user.

4. Click OK.

   After a human-machine user is created, you need to change the initial password as prompted after logging in to FusionInsight Manager.

5. Log in to the Hive client as the created user. Then you can create, modify, and delete Hive tables. For details, see Using Hive for Data Analysis.

Helpful Links

• To query or change the password validity period of a Hive user, see How Do I Query and Change the Password Validity Period of a User In a Cluster?
• To grant the tenant management permission to users in the cluster, see How Do I Add Tenant Management Permission to Users in a Cluster?
• To grant a user the permission to view the Hive tables created by other users, see How Do I View the Hive Table Created by Another User?
• The authentication credential fails to be downloaded because the created username is too long. To rectify the fault, see Failed to Download Authentication Credentials If the Username Is Too Long
• For more troubleshooting cases, see Hive Troubleshooting.