Help Center/ MapReduce Service/ User Guide (Ankara Region)/ FusionInsight Manager Operation Guide/ Security Management/ Security Hardening/ Hive Metastore Security Hardening
Updated on 2024-11-29 GMT+08:00
View PDF
Share

Hive Metastore Security Hardening

Hive Metastore Fine-Grained Authorization

Metastore of Hive 3.x supports only StorageBased authorization. This authorization mode depends on the permission of the file system, such as HDFS. The permission is coarse-grained. Metastore fine-grained authorization supports SQLStd and Ranger authorization.

Security hardening points:

  • Hive Metastore supports SQLStd or Ranger authorization in the following scenarios:
    • Creating a database
    • Creating a table
    • Creating a UDF
    • Adding a partition
    • Deleting a database
    • Deleting a table
    • Deleting a UDF
    • Modifying a database
    • Modifying a table
    • Modifying a partition
    • Granting a permission
    • Revoking a permission
  • Metastore requests sent by Hive Metastore clients, such as HiveServer, Spark, HetuEngine, and Flink, are authorized.

Procedure

Fine-grained authorization is enabled for Hive Metastore by default. You can also disable security hardening and use the original StorageBased authorization by configuring parameters.

  1. Log in to FusionInsight Manager and choose Cluster > Services > Hive. Click Configurations then All Configurations.
  2. Search for the following parameters in the search box:

    Table 1 Hive Metastore fine-grained authorization parameters

    Parameter

    Description

    Default Value

    metastore-ext.authorization.enable

    Whether to enable Metastore API authorization. After this function is enabled, SQLStd or Ranger authorization is used depending on the value of metastore-ext.authorization.ranger.and.sqlstd. If this parameter is set to false, the original StorageBased authorization is used.

    true

    metastore-ext.authorization.ranger.and.sqlstd

    Authorization mode used when metastore-ext.authorization.enable is set to true. Specifically:

    • true: indicates that Ranger authorization is performed before role authorization.
    • false: indicates that only Ranger or role authorization is used. By default, the authorization mode is the same as that of HiveServer.

    false

  3. After the modification is complete, click Save then OK.
  4. Click Dashboard, click More, and select Restart Service. Enter the password for verification, and click OK.
Parent topic: Security Hardening