整理2年前的草稿
目前版本中的hive权限管理主要是防止用户的误操作,并不能防止用户的非法访问与恶意破坏。
修改配置文件如下:
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
<description>enable or disable the hive client authorization</description>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
<description>the privileges automatically granted to the owner whenever a table gets created.
An example like "select,drop" will grant select and drop privilege to the owner of the table</description>
</property>
注意,上述代码值为ALL的参数默认为空,就是说用户一上来什么权限都没有。
权限模型有:用户、组、角色、权限,跟其它软件的权限管理类似,组是用户的集合,角色是权限的集合
Create/Drop Role
CREATE ROLE role_name DROP ROLE role_nameGrant/Revoke Roles
GRANT ROLE role_name [, role_name] ... TO principal_specification [, principal_specification] ... REVOKE ROLE role_name [, role_name] ... FROM principal_specification [, principal_specification] ... principal_specification : USER user | GROUP group | ROLE role
Viewing Granted Roles
SHOW ROLE GRANT principal_specification
Privileges
Hive支持如下权限:
- ALL - Gives users all privileges
- ALTER - Allows users to modify the metadata of an object
- UPDATE - Allows users to modify the physical data of an object
- CREATE - Allows users to create objects. For a database, this means users can create tables, and for a table, this means users can create partitions
- DROP - Allows users to drop objects
- INDEX - Allows users to create indexes on an object (Note: this is not currently implemented)
- LOCK - Allows users to lock or unlock tables when concurrency is enabled
- SELECT - Allows users to access data for objects
- SHOW_DATABASE - Allows users to view available databases
Grant/Revoke Privileges
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_type]
TO principal_specification [, principal_specification] ...
[WITH GRANT OPTION]
REVOKE
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_type priv_level]
FROM principal_specification [, principal_specification] ...
REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user [, user] ...
object_type:
TABLE
| DATABASE
priv_level:
db_name
| tbl_name
Viewing Granted Privileges
SHOW GRANT principal_specification
[ON object_type priv_level [(column_list)]]
Hive Operations and Required Privileges
As of the release of Hive 0.7, only these operations require permissions, according to org.apache.hadoop.hive.ql.plan.HiveOperation:
Operation | ALTER | UPDATE | CREATE | DROP | INDEX | LOCK | SELECT | SHOW_DATABASE |
LOAD | X | |||||||
EXPORT | X | |||||||
IMPORT | X | X | ||||||
CREATE TABLE | X | |||||||
CREATE TABLE AS SELECT | X | X | ||||||
DROP TABLE | X | |||||||
SELECT | X | |||||||
ALTER TABLE ADD COLUMN | X | |||||||
ALTER TABLE REPLACE COLUMN | X | |||||||
ALTER TABLE RENAME | X | |||||||
ALTER TABLE ADD PARTITION | X | |||||||
ALTER TABLE DROP PARTITION | X | |||||||
ALTER TABLE ARCHIVE | X | |||||||
ALTER TABLE UNARCHIVE | X | |||||||
ALTER TABLE SET PROPERTIES | X | |||||||
ALTER TABLE SET SERDE | X | |||||||
ALTER TABLE SET SERDE | X | |||||||
ALTER TABLE SET SERDEPROPERTIES | X | |||||||
ALTER TABLE CLUSTER BY | X | |||||||
ALTER TABLE PROTECT MODE | X | |||||||
ALTER PARTITION PROTECT MODE | X | |||||||
ALTER TABLE SET FILEFORMAT | X | |||||||
ALTER PARTITION SET FILEFORMAT | X | |||||||
ALTER TABLE SET LOCATION | X | |||||||
ALTER PARTITION SET LOCATION | X | |||||||
ALTER TABLE CONCATENATE | X | |||||||
ALTER PARTITION CONCATENATE | X | |||||||
SHOW DATABASES | X | |||||||
LOCK TABLE | X | |||||||
UNLOCK TABLE |
原文:https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization