Creating a Hive Role

Scenario

This section describes how to create and configure a Hive role on Manager as the system administrator. The Hive role can be granted the permissions of the Hive administrator and the permissions to operate Hive table data.

Creating a database with Hive requires users to join in the hive group, without granting a role. Users have all permissions on the databases or tables created by themselves in Hive or HDFS. They can create tables, select, delete, insert, or update data, and grant permissions to other users to allow them to access the tables and corresponding HDFS directories and files. The created databases or tables are saved in the /user/hive/warehouse directory of the HDFS by default.

Note

  • A Hive role can be created only in security mode.

  • If the current component uses Ranger for permission control, you need to configure permission management policies based on Ranger. For details, see Adding a Ranger Access Permission Policy for Hive.

Prerequisites

  • The system administrator has understood the service requirements.

  • Log in to FusionInsight Manager.

  • The Hive client has been installed.

Procedure

  1. Log in to FusionInsight Manager. For details, see Accessing FusionInsight Manager.

  2. Choose System > Permission > Role.

  3. Click Create Role, and set Role Name and Description.

  4. Set Configure Resource Permission. For details, see Table 1.

    • Hive Admin Privilege: Hive administrator permission.

    • Hive Read Write Privileges: Hive data table management permission, which is the operation permission to set and manage the data of created tables.

    Note

    • Hive role management supports the Hive administrator permissions and the permission of accessing databases, tables, and views.

    • The permissions of the Hive administrator do not include the permission to manage HDFS.

    • If there are too many tables in the database or too many files in tables, the permission granting may last a while. For example, if a table contains 10,000 files, the permission granting lasts about 2 minutes.

    Table 1 Setting a role

    Task

    Role Authorization

    Setting the Hive administrator permission

    In the Configure Resource Permission table, choose Name of the desired cluster > Hive and select Hive Admin Privilege.

    Note

    After being bound to the Hive administrator role, perform the following operations during each maintenance operation:

    1. Log in to the node where the Hive client is installed as the client installation user.

    2. Run the following command to configure environment variables:

      For example, if the Hive client installation directory is /opt/hiveclient, run source /opt/hiveclient/bigdata_env.

    3. Run the following command to authenticate the user:

      kinit Hive service user

    4. Run the following command to log in to the client tool:

      beeline

    5. Run the following command to update the Hive administrator permissions:

      set role admin;

    Setting the permission to query a table of another user in the default database

    1. In the Configure Resource Permission table, choose Name of the desired cluster > Hive > Hive Read Write Privileges.

    2. Click the name of the specified database in the database list. Tables in the database are displayed.

    3. In the Rights column of the specified table, choose Select.

    Setting the permission to query a table of another user in the default database

    1. In the Configure Resource Permission table, choose Name of the desired cluster > Hive > Hive Read Write Privileges.

    2. Click the name of the specified database in the database list. Tables in the database are displayed.

    3. In the Permission column of the specified table, select INSERT.

    Setting the permission to import data to a table of another user in the default database

    1. In the Configure Resource Permission table, choose Name of the desired cluster > Hive > Hive Read Write Privileges.

    2. Click the name of the specified database in the database list. Tables in the database are displayed.

    3. In the Permission column of the specified indexes, select DELETE and INSERT.

    Setting the permission to submit HQL commands to Yarn for execution

    The HQL commands used by some services are converted into MapReduce tasks and submitted to Yarn for execution. You need to set the Yarn permissions. For example, the HQL statements to be run use statements, such as insert, count, distinct, group by, order by, sort by, or join.

    1. In the Permission table, choose Name of the desired cluster > Yarn > Scheduling Queue > root.

    2. In the Permission column of the default queue, select Submit.

  5. Click OK, and return to the Role page.