Hive访问权限控制

hive有两种类型的权限控制方式：

一。通过Hcatcalog API访问hive数据的方式，实际是通过访问metastore元数据的形式访问hive数据，这类有MapReduce，impala，pig，Spark SQL，hive Command line等方式，基于这种方式的权限控制称为：Storage Based Authorization in the Metastore Server。

二。通过hiveserver2的方式访问hive数据，基于这种方式的权限控制称之为：SQL Standards Based Authorization in HiveServer2

第一种方式的权限控制其实通过控制用户在HDFS上的权限来实现的，需要借助hdfs的命令setfacl，实现此种方式需要在hive中配置以下配置项：

<property>
  <name>hive.security.metastore.authorization.manager</name>
  <value>org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider</value>
  <description>authorization manager class name to be used in the metastore for authorization.
  The user defined authorization class should implement interface
  org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider.
  </description>
 </property>

<property>
  <name>hive.security.metastore.authenticator.manager</name>
  <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
  <description>authenticator manager class name to be used in the metastore for authentication.
  The user defined authenticator should implement interface 
  org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider.
  </description>
</property>

<property>
  <name>hive.metastore.pre.event.listeners</name>
  <value> </value>
  <description>pre-event listener classes to be loaded on the metastore side to run code
  whenever databases, tables, and partitions are created, altered, or dropped.
  Set to org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
  if metastore-side authorization is desired.
  </description>
</property>

而后使用setfacl为用户在hive数仓路径分配权限，例如：

#授予test对warehouse文件夹rwx权限

hadoop fs -setfacl -m user:test:rwx /user/hive/warehouse

#授予hivegrp对warehouse文件夹rwx权限

hadoo fs -setfacl -m group:hivegrp:rwx /user/hive/warehouse

第二种方式也需要修改hive-site.xml配置文件：

<property>
  <name>hive.security.authorization.enabled</name>
  <value>true</value>
</property>
<property>
  <name>hive.security.authorization.createtable.owner.grants</name>
  <value>ALL</value>
</property>
<property>
  <name>hive.security.authorization.task.factory</name>
 <value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
</property>
<property>
  <name>hive.users.in.admin.role</name>
  <value>hdfs</value>
</property>

然后进入hive CLI通过grant命令对表、视图、列、分区进行权限控制，需要注意的是create role及drop role等命令是需要admin role才有权限执行的，因此在配置中给hdfs用户以admin role，切换到hdfs用户下进入hive CLI执行grant命令即可。

通过Hue控制Hive访问权限可查看这里。

官网地址：https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization

参考博客：https://www.cnblogs.com/yurunmiao/p/4449439.html

                  https://helpcdn.aliyun.com/document_detail/62704.html