Using Qubole Hive Authorization¶
Understanding Qubole Hive Authorization describes Hive authorization, privileges, and known issues. Hive Authorization is not enabled in QDS by default. To enable it for your account, create a Qubole Support ticket.
Once Qubole has enabled Hive Authorization in your account, QDS sets
and adds it to Hive’s
This prevents users from bypassing Hive authorization when they run a query. If you later want to change the setting of
hive.security.authorization.enabled at the cluster level, you can do so in the QDS UI: set it in the
Override Hive Configuration field in the Hive Settings section under the Advanced Configuration tab of a
Hadoop (Hive) cluster, then restart the cluster. To change the setting at the account level,
create a Qubole support ticket.
To use Hive tables, use <username>@<emaildomain.com> as the login username; for example, if your username is
user1, log in as
firstname.lastname@example.org. The default password is empty.
QDS Hive has two users, user and admin as in open-source Hive, and two default roles, public and admin.
The two roles are as shown in the following figure. See also Understanding Privileges for Users and Roles.
The admin user can create custom roles in addition to the default roles (for example, a role called finance).
As an admin, you can grant these roles to users.
Check all users who have been granted a specific role:
The admin can also grant privileges to users as described in Understanding Privileges for Users and Roles. For example, you can grant
INSERTprivilege to the finance role for the
You can set
hive.qubole.authz.strict.show.tables=trueas a Hadoop override on the Cluster page of the QDS UI, to allow users to see only tables they have
SELECTaccess to when they run
Check the roles granted to you:
Once you have
SELECTaccess to a table, you can run a
SELECTquery on that table.
You cannot use a table for which you have no
SELECTprivilege. The following figure shows an example of a restricted
SELECTprivilege with the error message in the Analyze query composer’s Results tab:
Check the logs for the specific reason behind the unsuccessful query result. The following figure shows the logs with the exact cause for an unsuccessful query: