Configuring User Impersonation with Hive

As of Drill version 1.1, you can configure Drill impersonation to work with Hive impersonation to authorize access to metadata in the Hive metastore repository and data in the Hive warehouse. Drill impersonation works with Hive when Hive has impersonation enabled and optionally, storage based or SQL standard based authorization enabled. Drill impersonation can also work with Hive when the Hive metastore has Kerberos enabled on a secure cluster. Currently, Drill does not support Hive configured with Sentry authorization.

Storage Based Authorization

Hive storage based authorization is a remote metastore server security feature that uses the underlying file system permissions to determine permissions on databases, tables, and partitions. The permissions a user or group has on directories in the file system determines access to data. Because the file system controls access at the directory and file level, storage based authorization cannot control access to data at the column or view level.

You manage user and group privileges through permissions and access controls in the distributed file system. DDL statements that manage permissions, such as GRANT and REVOKE, do not have any effect on permissions in the storage based authorization model.

For more information, see Storage Based Authorization in the Metastore Server.

SQL Standard Based Authorization

The SQL standard based authorization model can control which users have access to columns, rows, and views. SQL standard based authorization is configured in HiverServer2 and enforced during query processing. Users with the appropriate permissions can issue the GRANT and REVOKE statements to manage privileges from Hive.

For more information, see SQL Standard Based Hive Authorization.

Prerequisites

To configure user impersonation with Hive, the system must meet the following requirements:

Configuration

Complete the following steps to configure Drill impersonation to work with Hive in a secure or insecure MapR cluster: