forked from docs/doc-exports
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com> Co-authored-by: Yang, Tong <yangtong2@huawei.com> Co-committed-by: Yang, Tong <yangtong2@huawei.com>
88 lines
16 KiB
HTML
88 lines
16 KiB
HTML
<a name="mrs_01_0948"></a><a name="mrs_01_0948"></a>
|
||
|
||
<h1 class="topictitle1">Hive Permission</h1>
|
||
<div id="body1590395281681"><p id="mrs_01_0948__af2bd908bfb8a4da1a7c62179850b840d">Hive is a data warehouse framework built on Hadoop. It provides basic data analysis services using the Hive query language (HQL), a language like the structured query language (SQL).</p>
|
||
<p id="mrs_01_0948__a15d6da179787429eabdef9614ae9f75f">MRS supports users, user groups, and roles. Permissions must be assigned to roles and then roles are bound to users or user groups. Users can obtain permissions only by binding a role or joining a group that is bound with a role. For details about Hive authorization, visit <a href="https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization" target="_blank" rel="noopener noreferrer">https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization</a>.</p>
|
||
<div class="note" id="mrs_01_0948__n1083e3c0434445e6b5cd57c277846d0e"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="mrs_01_0948__ul8211105114013"><li id="mrs_01_0948__li11211105118401">Hive permissions in security mode need to be managed whereas those in normal mode do not.</li><li id="mrs_01_0948__li168631085544">MRS 3.<em id="mrs_01_0948__i24831037819">x</em> or later supports Ranger. If the current component uses Ranger for permission control, you need to configure permission management policies based on Ranger. For details, see <a href="mrs_01_1858.html">Adding a Ranger Access Permission Policy for Hive</a>.</li></ul>
|
||
</div></div>
|
||
<div class="section" id="mrs_01_0948__s9117d64353cd4e85b2d309333dd4c3b4"><h4 class="sectiontitle">Hive Permission Model</h4><p id="mrs_01_0948__a6b87996c73934f3d964c81a7808b3af7">To use the Hive component, users must have permissions on Hive databases and tables (including external tables and views). In MRS, the complete Hive permission model is composed of Hive metadata permission and HDFS file permission. The Hive permission model also includes the permission to use databases or tables.</p>
|
||
<ul id="mrs_01_0948__u20ece97be92e45b39631a7db4b4adc36"><li id="mrs_01_0948__l1f8592bda1094e428b7276df08504289">Hive metadata permission<p id="mrs_01_0948__a007222cb033d42d498bc4e7728e0a665"><a name="mrs_01_0948__l1f8592bda1094e428b7276df08504289"></a><a name="l1f8592bda1094e428b7276df08504289"></a>Similar to traditional relational databases, the Hive database of MRS supports the <strong id="mrs_01_0948__b1296017483410">CREATE</strong> and <strong id="mrs_01_0948__b6120555184119">SELECT</strong> permission, and the Hive tables and columns support the <strong id="mrs_01_0948__b8335153054315">SELECT</strong>, <strong id="mrs_01_0948__b13911628184318">INSERT</strong>, and <strong id="mrs_01_0948__b195861625204317">DELETE</strong> permissions. Hive also supports the permissions of <strong id="mrs_01_0948__b12218019122112">OWNERSHIP</strong> and <strong id="mrs_01_0948__b67549309219">Hive Admin Privilege</strong>.</p>
|
||
<div class="note" id="mrs_01_0948__n6dcff4b2d329482a8b61d3b51a762fc6"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="mrs_01_0948__a897939c9e2ca4afa9a590dd53e3635c0">The <strong id="mrs_01_0948__b182334219189">UPDATE</strong> and <strong id="mrs_01_0948__b93676455187">DELETE</strong> operations on Hive tables and columns can be performed only when <strong id="mrs_01_0948__b817817411918">ACID</strong> is enabled.</p>
|
||
</div></div>
|
||
</li></ul>
|
||
<ul id="mrs_01_0948__ue39d638dc77b4157a6ae161210c95d13"><li id="mrs_01_0948__lb4c2a5eeff02422fb510c80c4c5cd1ff">Hive data file permission, also known as HDFS file permission<p id="mrs_01_0948__a07b63b57387043aeb6baa4b3f356eb64"><a name="mrs_01_0948__lb4c2a5eeff02422fb510c80c4c5cd1ff"></a><a name="lb4c2a5eeff02422fb510c80c4c5cd1ff"></a>Hive database and table files are stored in the HDFS. The created databases or tables are saved in the<strong id="mrs_01_0948__b740919494818"> /user/hive/warehouse</strong> directory of the HDFS by default. The system automatically creates subdirectories named after database names and database table names. To access a database or a table, the corresponding file permissions (read, write, and execute) on the HDFS are required.</p>
|
||
<div class="note" id="mrs_01_0948__note17490111295613"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_0948__p349091220560">MRS 3.<em id="mrs_01_0948__i679824143510">X</em> supports multiple Hive instances. In the multi-instance scenario, the directory is<strong id="mrs_01_0948__b1699248102710"> /user/hiven</strong> <em id="mrs_01_0948__i19486407272">n</em> (<em id="mrs_01_0948__i9642154316272">n</em>=1–4)<strong id="mrs_01_0948__b18452155219276">/warehouse</strong>.</p>
|
||
</div></div>
|
||
</li></ul>
|
||
<p id="mrs_01_0948__a7e236387a3f04c618a959194b27f83bd">To perform various operations on Hive databases or tables, you need to associate the metadata permission with the HDFS file permission. For example, to query Hive data tables, you need to associate the metadata permission <strong id="mrs_01_0948__b2114556125114">SELECT</strong> and the HDFS file permissions <strong id="mrs_01_0948__b6138119135210">Read</strong> and <strong id="mrs_01_0948__b112112120522">Write</strong>.</p>
|
||
<p id="mrs_01_0948__ab4eb41e177ef420e9f91ffc1fc4e4eb4">To use the role management function of Manager GUI to manage the permissions of Hive databases and tables, you only need to configure the metadata permission, and the system will automatically associate and configure the HDFS file permission. In this way, operations on the interface are simplified, and the efficiency is improved.</p>
|
||
</div>
|
||
<div class="section" id="mrs_01_0948__s1ef258d542f641aabf70d0f63d33182a"><h4 class="sectiontitle">Hive Users</h4><p id="mrs_01_0948__ad5faf97c98e749a6951265e827a38aeb">MRS provides users and roles to use Hive, such as creating tables, inserting data into tables, and querying tables. Hive defines the <strong id="mrs_01_0948__b142121930195513">USER</strong> class, corresponding to user instances. Hive defines the <strong id="mrs_01_0948__b888225911559">GROUP</strong> class, corresponding to role instances.</p>
|
||
<p id="mrs_01_0948__ac134187fd72d469098a06ca32ef95a69">You can use Manager to set permissions for Hive users. This method only supports permission setting in roles. A user or user group can obtain the permissions only after a role is bound to the user or user group. Hive users can be granted Hive administrator permissions and permissions to access databases, tables, and columns.</p>
|
||
</div>
|
||
<div class="section" id="mrs_01_0948__seda50dc2d2b74d21b9a710d7bef72d04"><h4 class="sectiontitle">Hive Usage Scenarios and Related Permissions</h4><p id="mrs_01_0948__a1c313af0b9b545f1851cdb40ac4f5ae7">Creating a database with Hive requires users to join in the <strong id="mrs_01_0948__b491527417">hive</strong> group, without granting a role. Users have all permissions on the databases or tables created by themselves in Hive or HDFS. They can create tables, select, delete, insert, or update data, and grant permissions to other users to allow them to access the tables and corresponding HDFS directories and files.</p>
|
||
<p id="mrs_01_0948__acc1bf99534294783b6f7354f327270d5">A user can access the tables or database only with permissions. The permission required by users varies according to Hive usage scenarios.</p>
|
||
|
||
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_0948__t01b883f38e7d4696bdb512d4f2237835" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Hive usage scenarios</caption><thead align="left"><tr id="mrs_01_0948__reb663ac442c14ab682c4e9495f5f5f62"><th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.6.4.2.3.1.1"><p id="mrs_01_0948__a61b396fe479041a484ce1ab30c22fcf0">Typical Scenario</p>
|
||
</th>
|
||
<th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.6.4.2.3.1.2"><p id="mrs_01_0948__a51678fdc9dd54d5eb200db415d2c7662">Permission</p>
|
||
</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody><tr id="mrs_01_0948__r1d137af076bd411eb3695d8451c7aaf2"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.6.4.2.3.1.1 "><p id="mrs_01_0948__af8322588ab76451ab2e680c39577ec1b">Using Hive tables, columns, or databases</p>
|
||
</td>
|
||
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.6.4.2.3.1.2 "><p id="mrs_01_0948__a86f2387bab304e419d38ca5e52039faa">Permissions required in different scenarios are as follows:</p>
|
||
<ul id="mrs_01_0948__u0666fceface94eb780833cb09bb05f78"><li id="mrs_01_0948__ldc64cf35ebcd4987a4a78bac0027745d">To create tables, the <strong id="mrs_01_0948__b219023479">CREATE</strong> permission is required.</li><li id="mrs_01_0948__l98a7969996bc4de39604319388f5a0d0">To query data, the <strong id="mrs_01_0948__b1154471571">SELECT</strong> permission is required.</li><li id="mrs_01_0948__la4b31aedd1e849d18e2d8da9827fb2f3">To insert data, the <strong id="mrs_01_0948__b1491615590711">INSERT</strong> permission is required.</li><li id="mrs_01_0948__l5d3249e21b354a529f1c14b5f8e2a5e2">To delete data, the <strong id="mrs_01_0948__b172431223812">DELETE</strong> permission is required.</li></ul>
|
||
</td>
|
||
</tr>
|
||
<tr id="mrs_01_0948__r503524473aa14a6cbca5c5dfc639ded3"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.6.4.2.3.1.1 "><p id="mrs_01_0948__a7cd2daa7b58843e39af399d87480bc44">Associating and using other components</p>
|
||
</td>
|
||
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.6.4.2.3.1.2 "><p id="mrs_01_0948__aa54989eeb73b43d49f0f0bfd629e4c26">In addition to Hive permissions, permissions of other components are required in some scenarios, for example:</p>
|
||
<ul id="mrs_01_0948__ub0da1ee04dba4b288be0bb57d554813a"><li id="mrs_01_0948__l6ab4138b44214a5badbf9ae02ae4617b">Yarn permissions are required when some HQL statements, such as <strong id="mrs_01_0948__b166111910101114">insert</strong>, <strong id="mrs_01_0948__b1962121416116">count</strong>, <strong id="mrs_01_0948__b86471420131110">distinct</strong>, <strong id="mrs_01_0948__b106041625181118">group by</strong>, <strong id="mrs_01_0948__b510263241119">order by</strong>, <strong id="mrs_01_0948__b11233163711115">sort by</strong>, and <strong id="mrs_01_0948__b6425124819112">join</strong>, are run. You are advised to grant Yarn permissions to the role of each Hive user.</li><li id="mrs_01_0948__le266a1399f3449478dda9f4091a0c973">HBase permission is required when Hive over HBase is used, for example, querying HBase table data in Hive.</li></ul>
|
||
</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
<p id="mrs_01_0948__a7395dc56db6c4aef838bf3361e16371f">In some special Hive usage scenarios, you need to configure other types of permission.</p>
|
||
|
||
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_0948__t6590f124ee7a4824b5b0b8ee36166845" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Hive authorization precautions</caption><thead align="left"><tr id="mrs_01_0948__r980eb41ca6b4406db32cf8f950f31fbb"><th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.6.6.2.3.1.1"><p id="mrs_01_0948__ae99ae04c8513446bbeb5b80b0324d5b9">Scenario</p>
|
||
</th>
|
||
<th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.6.6.2.3.1.2"><p id="mrs_01_0948__a911e9fad67994fb7ba61161a0d1d8506">Permission</p>
|
||
</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody><tr id="mrs_01_0948__r4749d4bc541143f79a01310269384cfe"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.6.6.2.3.1.1 "><p id="mrs_01_0948__a34c287c5082b4aa8a75211ad6cb1da70">Creating Hive databases, tables, and external tables, or adding partitions to created Hive tables or external tables when data files specified by Hive users are saved to other HDFS directories except <strong id="mrs_01_0948__b176546281418">/user/hive/warehouse</strong></p>
|
||
</td>
|
||
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.6.6.2.3.1.2 "><p id="mrs_01_0948__a80d885efab754d93bae4ff75cbb33fb2">The directory must already exist, the Hive user must be the owner of the directory, and the Hive user must have the read, write, and execute permissions on the directory. The user must have the <strong id="mrs_01_0948__b08441452132817">read</strong> and <strong id="mrs_01_0948__b1884911567285">write</strong> permissions of all the upper-layer directories of the directory. After an system administrator grants the Hive permission to the role, the HDFS permission is automatically granted.</p>
|
||
</td>
|
||
</tr>
|
||
<tr id="mrs_01_0948__r3e03fcfb5a8e46fdb0d695995ae3e53c"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.6.6.2.3.1.1 "><p id="mrs_01_0948__ac034a4ecd2f54211bf719512381b0274">Using <strong id="mrs_01_0948__b4636172571620">load</strong> to load data from all the files or specified files in a specified directory to Hive tables as a Hive user</p>
|
||
</td>
|
||
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.6.6.2.3.1.2 "><ul id="mrs_01_0948__u799ea23e91ca41f488542966021d4e30"><li id="mrs_01_0948__led8d51ce75df4cff9ced80432aa9261a">The data source is a Linux local disk, the specified directory exists, and the system user <strong id="mrs_01_0948__b53761834810">omm</strong> has read and execute permission of the directory and all its upper-layer directories. The specified file exists, and user <strong id="mrs_01_0948__b1830802701716">omm</strong> has read permission of the file and has the read and execute permission of all the upper-layer directories of the file.</li><li id="mrs_01_0948__l191c5b2c50da4256a039fa03d3c20f6b">The data source is HDFS, the specified directory exists, and the Hive user is the owner of the directory and has read, write, and execute permission on the directory and its subdirectories, and has read and write permission on all its upper-layer directories. The specified file exists, and the Hive user is the owner of the file and has read, write, and execute permission, and has read and execute permission on the file and all its upper-layer directories.</li></ul>
|
||
<div class="note" id="mrs_01_0948__nf495e95fdce342a6be90210365da9b2d"><span class="notetitle"> NOTE: </span><div class="notebody"><p class="textintable" id="mrs_01_0948__a4599f1348dcd418c88a0f276e7625330">When <strong id="mrs_01_0948__b107686118196">load</strong> is used to import data to a Linux local disk, files must be loaded to the HiveServer on which the command is run and the permission must be modified. You are advised to run the command on a client. The HiveSever to which the client is connected can be found. For example, if the Hive client displays <strong id="mrs_01_0948__b1230364211195">0: jdbc:hive2://10.172.0.43:21066/></strong>, the IP address of the connected HiveServer is 10.172.0.43.</p>
|
||
</div></div>
|
||
</td>
|
||
</tr>
|
||
<tr id="mrs_01_0948__r2a6bc0d02d0044caa345a0e039da51cc"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.6.6.2.3.1.1 "><p id="mrs_01_0948__a95be5a6aaa784a64b4ae599c23794fcd">Creating or deleting functions or modifying any database</p>
|
||
</td>
|
||
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.6.6.2.3.1.2 "><p id="mrs_01_0948__a4270138e29584d0f8cdd5d477d28f379">The <strong id="mrs_01_0948__b1273511586218">Hive Admin Privilege</strong> is required.</p>
|
||
</td>
|
||
</tr>
|
||
<tr id="mrs_01_0948__r85974238956d46a486f59693a6550688"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.6.6.2.3.1.1 "><p id="mrs_01_0948__a87975f5bd5ec4b549b0e562a195e46fa">Performing operations on all databases and tables in Hive</p>
|
||
</td>
|
||
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.6.6.2.3.1.2 "><p id="mrs_01_0948__ae1af0ec5f4094c2c91ee02a9578e6afb">The user must be added to the <strong id="mrs_01_0948__b51913314238">supergroup</strong> user group and granted <strong id="mrs_01_0948__b2038119259239">Hive Admin Privilege</strong>.</p>
|
||
</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
<div>
|
||
<div class="familylinks">
|
||
<div class="parentlink"><strong>Parent topic:</strong> <a href="mrs_01_0947.html">Permission Management</a></div>
|
||
</div>
|
||
</div>
|
||
|