How to Restrict Users From Updating Hive Settings

How to Restrict Users From Updating Hive Settings

As an administrator to manage a Hive cluster, sometimes it is needed to restrict users from updating certain Hive settings from client side. One particular example is mapred.job.queue.name or newer name mapreduce.job.queuename, where we might not want users to blindly submitting to any queues in YARN.

To achieve this, Hive provides a setting that we can set at HiveServer2 side, so that all configuration names defined in there will be final so that no client side can override those settings. This special setting is called hive.conf.restricted.list, which was introduced since Hive 0.11.0. It contains different values in different versions of Apache Hive, and same as Hive in CDH distribution.

To add mapred.job.queue.name/mapreduce.job.queuename to the list, please follow below steps (assuming that you are using Cloudera Manager to manage your cluster).

1. Login beeline and run below query:

SET hive.conf.restricted.list;

It should return the current list of restricted settings on HiveServer2. In my cluster, it returned below list:

+----------------------------------------------------+--+
|                        set                         |
+----------------------------------------------------+--+
| hive.conf.restricted.list=hive.security.authenticator.manager,hive.security.authorization.manager,hive.users.in.admin.role,spark.home |
+----------------------------------------------------+--+
1 row selected (0.157 seconds)

2. Copy the above value returned for this configuration to be used later

3. Go to Cloudera Manager > Hive > Configuration > locate “HiveServer2 Advanced Configuration Snippet (Safety Valve) for hive-site.xml”

4. Enter below value:

Name: hive.conf.restricted.list
Value: {value_from_step2},mapred.job.queue.name,mapreduce.job.queuename
Description: Comma separated list of configuration options which are immutable at runtime

5. Now Save and then Restart HiveServer2 to take the changes into effect.

6. Confirm that the setting has been updated by login back into beeline and run the same SET command again:

set hive.conf.restricted.list;
+----------------------------------------------------+--+
|                        set                         |
+----------------------------------------------------+--+
| hive.conf.restricted.list=mapred.job.queue.name,mapreduce.job.queuename,hive.security.authenticator.manager,hive.security.authorization.manager,hive.users.in.admin.role,spark.home |
+----------------------------------------------------+--+
1 row selected (0.157 seconds)

7. Then finally confirm that you can’t update mapred.job.queue.name anymore:

> SET mapred.job.queue.name=test;
Error: Error while processing statement: Cannot modify mapred.job.queue.name at runtime. It is in the listof parameters that can't be modified at runtime (state=42000,code=1)

Leave a Reply

Your email address will not be published.

My new Snowflake Blog is now live. I will not be updating this blog anymore but will continue with new contents in the Snowflake world!