Hi, Udit Unfortunately, users need the write permission to the folder to create external tables. Some current administrators may rely on the specification. It was discussed in HIVE-12231 and HIVE-12232. But in my opinion, it makes sense to let users create external tables if they have the read permisson.
Thanks, Takanobu 2016-04-13 7:42 GMT+09:00 Udit Mehta <ume...@groupon.com>: > Hi all, > > I wanted to understand what authorization model is most suitable for a > production environment where most of the data is shared between multiple > teams and users. > I know this is would depend more on the use case but I cant seem to figure > out the best model for our use: > > We have data that is owned by a certain process (R/W access for that user) > while other users only have Read access to that data. We have a lot of > instances when users would want to create external tables pointing to this > data. We tried the following 3 auth models: > > 1. *Default Authorization model*: This we think is less secure and any > user can grant himself access to create/modify tables and databases even > where they are not supposed to. We would want to have much tighter security > than this model provides. > > 2. *Storage Based Authorization*: While this helps us by preventing users > from modifying metadata by checking the HDFS permissions of the underlying > directories, it prevents our most important use case of letting users > create *external *tables on data they dont have write access to. I would > assume external tables wont actually delete the data when dropping > tables/partitions so this operation should be allowed. But because it is > not, even this authorization model does not meet our use case. > > 3. *Sql Standard Based Authorization: *This does give us fine-grained > control over which users can perform specific commands, but when it comes > to creating external tables, even this authorization scheme seems to use > the filesystem's permissions. > > So overall all 3 models didnt seem to fulfill our requirement here which I > think would be a fairly common one. I want to know how other users manage > security on Hive or If i am missing something. > > Thanks in advance, > Udit >
