Best Practices for Hive Authorization when using connector to HiveServer2

Recently we are in process of working with Presto and configuring Hive Connector to it. It got connected successfully with steps given at prestodb.io/docs/current/connector/hive.html. An overview of our architecture is Presto is running on a different machine (Presto Machine) use Hive connector to communicate with Hadoop cluster which is running on different machines. Presto Machine have hive.properties file which tells Presto to use thrift connection to hive client and hdfs-site core-site.xml files for HDFS.

Below is the architecture of our environment.

pic-b-a

Below is the command to invoke presto…

/presto –server XX.X.X.XX:9080 –catalog hive

There is no presto user exists in my Hadoop environment. Everything is working well as per documentation and Presto Machine/CLI can query data from Hive database.

But missing information in documents and question is with what Hadoop user, Presto is connected to?

Presto is using hiveServer2, and data present in Hive. I dig further in Ambari configurations and found that hive.server2.enable.doAs is set to “false” which means is that Hiveserver2 will run MR jobs in HDFS as “hive” user. Permissions in HDFS files related to Hive can be given only to “hive” users. We can call this configuration as HiveServer2 access with limited HDFS access. This default configuration shows that data is visible to any system on same network with just Presto(any other connector using HiveServer2).

Now let us says we would like to protect our data, the best way to protect Hive CLI would be to enable permissions for HDFS files/folders mapped to the Hive database and tables.

The other option to protect our data over Hiverserver2 is using ranger hive plugin and In order to secure metastore, it is also recommended to turn on storage-based authorization. Below are configuration changes: hive-site.xml or In Ambari -> Hive-> Config, ensure the hive.server2.enable.doAs is set to “true”.

What this means is that Hiveserver2 will run MR jobs in HDFS as the original user. Make sure to restart Hive service in Ambari after changing any configuration. In Ranger, within HDFS, create permissions for files pertaining to hive tables.  Provide appropriate permission to the file corresponding to the Hive table. The users can access data through HDFS commands as well. Check the audit logs in Ranger. You will see audit entries in Hive and HDFS with the original user’s ID.

Happy Data security!!!

 

 

10 thoughts on “Best Practices for Hive Authorization when using connector to HiveServer2

  1. Thanks for discussing your ideas in this article. The other matter is that when a problem comes up with a laptop motherboard, folks should not go ahead and take risk connected with repairing it themselves because if it is not done properly it can lead to permanent damage to the whole laptop. Most commonly it is safe just to approach the dealer of the laptop for any repair of that motherboard. They have technicians who’ve an expertise in dealing with laptop motherboard troubles and can make right prognosis and accomplish repairs.

  2. Thanks , I’ve just been looking for info approximately this subject for a while and yours is the greatest I have discovered so far. But, what concerning the conclusion? Are you positive concerning the source?

  3. One more thing. I think that there are quite a few travel insurance sites of reliable companies that let you enter your trip details and get you the estimates. You can also purchase the particular international travel cover policy on the internet by using your current credit card. Everything you need to do should be to enter your travel details and you can understand the plans side-by-side. Simply find the package that suits your budget and needs after which use your credit card to buy that. Travel insurance online is a good way to take a look for a reputable company pertaining to international travel cover. Thanks for expressing your ideas.

  4. Thanks for the suggestions you write about through this blog. In addition, numerous young women exactly who become pregnant usually do not even attempt to get health care insurance because they dread they won’t qualify. Although many states today require that insurers present coverage irrespective of the pre-existing conditions. Rates on these kinds of guaranteed programs are usually larger, but when considering the high cost of medical care bills it may be some sort of a safer approach to take to protect your own financial future.

  5. I want to show thanks to you for rescuing me from this type of setting. After checking throughout the world wide web and coming across proposals that were not powerful, I believed my life was done. Existing without the strategies to the issues you’ve fixed all through this website is a serious case, and ones which may have adversely affected my career if I had not discovered your blog post. Your primary know-how and kindness in touching the whole lot was helpful. I don’t know what I would’ve done if I had not come across such a point like this. I can at this moment look forward to my future. Thanks a lot very much for the impressive and effective guide. I won’t think twice to suggest your web page to any individual who should have assistance about this area.

  6. Thanks for your article. Another element is that being a photographer involves not only problem in recording award-winning photographs but additionally hardships in acquiring the best photographic camera suited to your requirements and most especially challenges in maintaining the standard of your camera. That is very real and apparent for those photography addicts that are in capturing the nature’s fascinating scenes – the mountains, the particular forests, the actual wild or seas. Going to these exciting places absolutely requires a dslr camera that can live up to the wild’s harsh surroundings.

  7. It’s the best time to make some plans for the future and it is time to be happy. I’ve read this post and if I could I want to suggest you few interesting things or advice. Perhaps you can write next articles referring to this article. I desire to read more things about it!

  8. I抦 not that much of a internet reader to be honest but your sites really nice, keep it up! I’ll go ahead and bookmark your site to come back down the road. Many thanks

Leave a Reply

Your email address will not be published. Required fields are marked *