Hive Permission

Hive is a data warehouse framework built on Hadoop. It provides basic data analysis services using the Hive query language (HQL), a language like the structured query language (SQL).

MRS supports users, user groups, and roles. Permissions must be assigned to roles and then roles are bound to users or user groups. Users can obtain permissions only by binding a role or joining a group that is bound with a role. For details about Hive authorization, visit https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization.

Note

  • Hive permissions in security mode need to be managed whereas those in normal mode do not.

  • MRS 3.x or later supports Ranger. If the current component uses Ranger for permission control, you need to configure permission management policies based on Ranger. For details, see Adding a Ranger Access Permission Policy for Hive.

Hive Permission Model

To use the Hive component, users must have permissions on Hive databases and tables (including external tables and views). In MRS, the complete Hive permission model is composed of Hive metadata permission and HDFS file permission. The Hive permission model also includes the permission to use databases or tables.

  • Hive metadata permission

    Similar to traditional relational databases, the Hive database of MRS supports the CREATE and SELECT permission, and the Hive tables and columns support the SELECT, INSERT, and DELETE permissions. Hive also supports the permissions of OWNERSHIP and Hive Admin Privilege.

    Note

    The UPDATE and DELETE operations on Hive tables and columns can be performed only when ACID is enabled.

  • Hive data file permission, also known as HDFS file permission

    Hive database and table files are stored in the HDFS. The created databases or tables are saved in the /user/hive/warehouse directory of the HDFS by default. The system automatically creates subdirectories named after database names and database table names. To access a database or a table, the corresponding file permissions (read, write, and execute) on the HDFS are required.

    Note

    MRS 3.X supports multiple Hive instances. In the multi-instance scenario, the directory is /user/hiven n (n=1-4)/warehouse.

To perform various operations on Hive databases or tables, you need to associate the metadata permission with the HDFS file permission. For example, to query Hive data tables, you need to associate the metadata permission SELECT and the HDFS file permissions Read and Write.

To use the role management function of Manager GUI to manage the permissions of Hive databases and tables, you only need to configure the metadata permission, and the system will automatically associate and configure the HDFS file permission. In this way, operations on the interface are simplified, and the efficiency is improved.

Hive Users

MRS provides users and roles to use Hive, such as creating tables, inserting data into tables, and querying tables. Hive defines the USER class, corresponding to user instances. Hive defines the GROUP class, corresponding to role instances.

You can use Manager to set permissions for Hive users. This method only supports permission setting in roles. A user or user group can obtain the permissions only after a role is bound to the user or user group. Hive users can be granted Hive administrator permissions and permissions to access databases, tables, and columns.