AMBARI-5289 HiveServer2 default security configuration changes (dsen)

ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/hive.py

@@ -97,7 +97,7 @@ def hive(name=None):
   elif name == 'hiveserver2':
     File(params.start_hiveserver2_path,
          mode=0755,
-         content=StaticFile('startHiveserver2.sh')
+         content=Template(format('{start_hiveserver2_script}'))
     )
 
   if name != "client":

ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/scripts/params.py

@@ -74,7 +74,7 @@ hive_pid = status_params.hive_pid
 hive_database_name = config['configurations']['global']['hive_database_name']
 
 #Starting hiveserver2
-start_hiveserver2_script = 'startHiveserver2.sh'
+start_hiveserver2_script = 'startHiveserver2.sh.j2'
 
 hadoop_home = '/usr'
 
@@ -172,6 +172,9 @@ tez_user = config['configurations']['global']['tez_user']
 hive_exec_jar_path = '/usr/lib/hive/lib/hive-exec.jar'
 hive_exec_hdfs_path = default('/configurations/hive-site/hive.jar.directory', '/apps/hive/install')
 
+# Hive security
+hive_authorization_enabled = config['configurations']['hive-site']['hive.security.authorization.enabled']
+
 import functools
 #create partial functions with common arguments for every HdfsDirectory call
 #to create hdfs directory we need to call params.HdfsDirectory in code

ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/files/startHiveserver2.sh → ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/templates/startHiveserver2.sh.j2

@@ -18,5 +18,11 @@
 # under the License.
 #
 #
-HIVE_CONF_DIR=$4 /usr/lib/hive/bin/hiveserver2 -hiveconf hive.metastore.uris=' ' > $1 2> $2 &
+
+# HiveServer 2 -hiveconf options
+if [ {{hive_authorization_enabled}} == True ]; then
+  export HIVE_SERVER2_OPTS=" -hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator "
+fi
+
+HIVE_CONF_DIR=$4 /usr/lib/hive/bin/hiveserver2 $HIVE_SERVER2_OPTS > $1 2> $2 &
 echo $!|cat>$3

ambari-server/src/main/resources/stacks/HDP/2.1/services/HIVE/configuration/hive-site.xml

@@ -108,13 +108,13 @@ limitations under the License.
 
   <property>
     <name>hive.security.authorization.enabled</name>
-    <value>false</value>
+    <value>true</value>
     <description>enable or disable the hive client authorization</description>
   </property>
 
   <property>
     <name>hive.security.authorization.manager</name>
-    <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
+    <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
     <description>the hive client authorization manager class name.
     The user defined authorization class should implement interface org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider.  </description>
   </property>
@@ -133,7 +133,7 @@ limitations under the License.
 
   <property>
     <name>hive.server2.enable.doAs</name>
-    <value>true</value>
+    <value>false</value>
     <description>Impersonate the connected user. By default HiveServer2 performs the query processing as the user who
       submitted the query. But if the parameter is set to false, the query will run as the user that the hiveserver2
       process runs as.
@@ -480,5 +480,10 @@ limitations under the License.
     <description>Number of aborted transactions involving a particular table or partition before major compaction is initiated.</description>
   </property>
 
+  <property>
+    <name>hive.users.in.admin.role</name>
+    <value></value>
+    <description>If user is specified as value of this config, that user has superuser privileges in DB</description>
+  </property>
 
 </configuration>

ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_server.py

@@ -279,7 +279,7 @@ class TestHiveServer(RMFTestCase):
       not_if = '[ -f DBConnectionVerification.jar]',
     )
     self.assertResourceCalled('File', '/tmp/start_hiveserver2_script',
-      content = StaticFile('startHiveserver2.sh'),
+      content = Template('startHiveserver2.sh.j2'),
       mode = 0755,
     )
     self.assertResourceCalled('Directory', '/var/run/hive',
@@ -372,7 +372,7 @@ class TestHiveServer(RMFTestCase):
       not_if = '[ -f DBConnectionVerification.jar]',
     )
     self.assertResourceCalled('File', '/tmp/start_hiveserver2_script',
-      content = StaticFile('startHiveserver2.sh'),
+      content = Template('startHiveserver2.sh.j2'),
       mode = 0755,
     )
     self.assertResourceCalled('Directory', '/var/run/hive',