Using Qubole Hive Authorization

Understanding Qubole Hive Authorization describes Hive authorization, privileges, and known issues. Hive Authorization is not enabled in QDS by default. To enable it for your account, create a Qubole Support ticket.

Once Qubole has enabled Hive Authorization in your account, QDS sets hive.security.authorization.enabled to true, and adds it to Hive’s Restricted List. This prevents users from bypassing Hive authorization when they run a query. If you later want to change the setting of hive.security.authorization.enabled at the cluster level, you can do so in the QDS UI: set it in the Override Hive Configuration field in the Hive Settings section under the Advanced Configuration tab of a Hadoop (Hive) cluster, then restart the cluster. To change the setting at the account level, create a Qubole support ticket.

• To use Hive tables, use <username>@<emaildomain.com> as the login username; for example, if your username is user1, log in as user1@xyz.com. The default password is empty.
• QDS Hive has two users, user and admin as in open-source Hive, and two default roles, public and admin.
• The admin user can create custom roles in addition to the default roles (for example, a role called finance).
• As an admin, you can grant these roles to users.
• The admin can also grant privileges to users as described in Understanding Privileges for Users and Roles. For example, you can grant SELECT and INSERT privilege to the finance role for the default_qubole_memtracker table.
• You can set hive.qubole.authz.strict.show.tables=true as a Hadoop override on the Cluster page of the QDS UI, to allow users to see only tables they have SELECT access to when they run SHOW TABLES.