授权配置单元中的权限不适用于hdp2.2 [英] grant permissions in hive does not work on hdp2.2

问题描述

我在CentOS 6.5上用Ambari安装了HDP2.2群集，并且在运行Hive GRANT查询时遇到问题。例如，查询

 将Tbl1上的选择授予用户root; 
  

给了我一个看起来像那样的异常

< blockquote>

FAILED：执行错误，从
返回代码1 org.apache.hadoop.hive.ql.exec.DDLTask。无法检索
hdfs的角色：此配置中已禁用远程元数据的Metastore授权API调用
。

这里发生了什么，你能解释'检索hdfs角色'的含义吗？这是'hdfs'系统用户还是某个特定的hadoop用户？

从我一直在阅读的文章看来，问题在于一些配置单元设置。有没有办法以某种方式关闭安全性，或使用hive-site.xml以正确的方式调整安全性？

解决方案

以下是您的hive-site.xml中的设置？

hive.security.metastore.authorization.manager
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider，org.apache.hadoop。 hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly

这将仅通过beeline / hive-server2接口限制任何Grant / Revoke语句。

设置MetaStoreAuthzAPIAuthorizerEmbedOnly是StorageBasedAuthorizationProvider的补充，其唯一目的是通过hive-cli禁用授予/撤销。
要充分使用SQL授权，此设置为提供基于SQL的授权提供了单点控制。如果您删除此设置，Hive-CLI中的任何人都可以设置他/她的管理权限并绕过基于SQL的权限。

I'm experimenting with HDP2.2 cluster with Ambari setup on CentOS 6.5 and I have problems with running Hive GRANT queries. For example, a query

grant select on Tbl1 to user root;

gives me an exception that looks like that

FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Failed to retrieve roles for hdfs: Metastore Authorization api invocation for remote metastore is disabled in this configuration.

What's going on here and could you explain the meaning of 'retrieve roles for hdfs'? Is that a 'hdfs' system user or some specific hadoop user?

From what i've been reading, it seems that problem is with some hive settings. Is there a way to turn security off somehow or tweak it in a right way using hive-site.xml ?

解决方案

Below are the setting in your hive-site.xml?

hive.security.metastore.authorization.manager org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly

This will restrict any Grant/Revoke statements through beeline/hive-server2 interface only.

Setting "MetaStoreAuthzAPIAuthorizerEmbedOnly" is in addition to "StorageBasedAuthorizationProvider" and its sole purpose is to disable grant/revoke through hive-cli. To use SQL authorization fully, this setting gives single point of control for providing SQL based authorization. If you remove this setting, anybody from Hive-CLI can set him/herself admin and bypass SQL-based privileges.

这篇关于授权配置单元中的权限不适用于hdp2.2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！