Using Qubole Hive Authorization

Understanding Qubole Hive Authorization describes Hive authorization, privileges, and known issues. Hive Authorization is not enabled in QDS by default. To enable it for your account, create a Qubole Support ticket.

Once Qubole has enabled Hive Authorization in your account, QDS sets hive.security.authorization.enabled to true, and adds it to Hive’s Restricted List. This prevents users from bypassing Hive authorization when they run a query. If you later want to change the setting of hive.security.authorization.enabled at the cluster level, you can do so in the QDS UI: set it in the Override Hive Configuration field in the Hive Settings section under the Advanced Configuration tab of a Hadoop 2 (Hive) cluster, then restart the cluster. To change the setting at the account level, create a Qubole support ticket.

  • To use Hive tables, use <username>@<emaildomain.com> as the login username; for example, if your username is user1, log in as user1@xyz.com. The default password is empty.

  • QDS Hive has two users, user and admin as in open-source Hive, and two default roles, public and admin.

    The two roles are as shown in the following figure. See also Understanding Privileges for Users and Roles.

    ../../../_images/SetHiveRole.png
  • The admin user can create custom roles in addition to the default roles (for example, a role called finance).

    ../../../_images/CreateHiveRole.png
  • As an admin, you can grant these roles to users.

    ../../../_images/GrantRoletoUserinHive.png

    Check all users who have been granted a specific role:

    ../../../_images/CheckRolePrivilegesinHive.png
  • The admin can also grant privileges to users as described in Understanding Privileges for Users and Roles. For example, you can grant SELECT and INSERT privilege to the finance role for the default_qubole_memtracker table.

    ../../../_images/GrantPrivilegestoRoleinHive.png
  • You can set hive.qubole.authz.strict.show.tables=true as a Hadoop override on the Cluster page of the QDS UI, to allow users to see only tables they have SELECT access to when they run SHOW TABLES.

    Check the roles granted to you:

    ../../../_images/CheckUserRolesinHive.png

    Once you have SELECT access to a table, you can run a SELECT query on that table.

    ../../../_images/SuccessfulSelectQuery.png

    You cannot use a table for which you have no SELECT privilege. The following figure shows an example of a restricted SELECT privilege with the error message in the Analyze query composer’s Results tab:

    ../../../_images/RestrictedTableAccess.png

    Check the logs for the specific reason behind the unsuccessful query result. The following figure shows the logs with the exact cause for an unsuccessful query:

    ../../../_images/FailedQueryLogs.png