hive权限设置 部分翻译

整理2年前的草稿

目前版本中的hive权限管理主要是防止用户的误操作，并不能防止用户的非法访问与恶意破坏。

修改配置文件如下：

<property>
  <name>hive.security.authorization.enabled</name>
  <value>true</value>
  <description>enable or disable the hive client authorization</description>
</property>

<property>
  <name>hive.security.authorization.createtable.owner.grants</name>
  <value>ALL</value>
  <description>the privileges automatically granted to the owner whenever a table gets created. 
   An example like "select,drop" will grant select and drop privilege to the owner of the table</description>
</property>

注意，上述代码值为ALL的参数默认为空，就是说用户一上来什么权限都没有。

权限模型有：用户、组、角色、权限，跟其它软件的权限管理类似，组是用户的集合，角色是权限的集合

Create/Drop Role
 
 

  
  
   
   

    
    
CREATE ROLE role_name

DROP ROLE role_name
   
   
 
 
Grant/Revoke Roles
 
 

  
  

   
   
GRANT ROLE role_name [, role_name] ...
TO principal_specification [, principal_specification] ...

REVOKE ROLE role_name [, role_name] ...
FROM principal_specification [, principal_specification] ...

principal_specification
  : USER user
  | GROUP group
  | ROLE role

  
  
 
 
Viewing Granted Roles
 
 

  
  

   
   
SHOW ROLE GRANT principal_specification

  
  
 
 
Privileges
Hive支持如下权限:
 
 
ALL - Gives users all privileges
ALTER - Allows users to modify the metadata of an object
UPDATE - Allows users to modify the physical data of an object
CREATE - Allows users to create objects. For a database, this means users can create tables, and for a table, this means users can create partitions
DROP - Allows users to drop objects
INDEX - Allows users to create indexes on an object (Note: this is not currently implemented)
LOCK - Allows users to lock or unlock tables when concurrency is enabled
SELECT - Allows users to access data for objects
SHOW_DATABASE - Allows users to view available databases
Grant/Revoke Privileges
 
 

  
  

   
   
GRANT
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    [ON object_type]
    TO principal_specification [, principal_specification] ...
    [WITH GRANT OPTION]

REVOKE
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    [ON object_type priv_level]
    FROM principal_specification [, principal_specification] ...

REVOKE ALL PRIVILEGES, GRANT OPTION
    FROM user [, user] ...

object_type:
    TABLE
  | DATABASE

priv_level:
    db_name
  | tbl_name

  
  
 
 
Viewing Granted Privileges
 
 

  
  

   
   
SHOW GRANT principal_specification
[ON object_type priv_level [(column_list)]]

  
  
 
 
Hive Operations and Required Privileges
As of the release of Hive 0.7, only these operations require permissions, according to org.apache.hadoop.hive.ql.plan.HiveOperation:
 
 

  
  
Operation
ALTER
UPDATE
CREATE
DROP
INDEX
LOCK
SELECT
SHOW_DATABASE
LOAD
 
X
 
 
 
 
 
 
EXPORT
 
 
 
 
 
 
X
 
IMPORT
X
X
 
 
 
 
 
 
CREATE
 TABLE
 
 
X
 
 
 
 
 
CREATE
 TABLE AS SELECT
 
 
X
 
 
 
X
 
DROP
 TABLE
 
 
 
X
 
 
 
 
SELECT
 
 
 
 
 
 
X
 
ALTER
 TABLE ADD COLUMN
X
 
 
 
 
 
 
 
ALTER
 TABLE REPLACE COLUMN
X
 
 
 
 
 
 
 
ALTER
 TABLE RENAME
X
 
 
 
 
 
 
 
ALTER
 TABLE ADD PARTITION
 
 
X
 
 
 
 
 
ALTER
 TABLE DROP PARTITION
 
 
 
X
 
 
 
 
ALTER
 TABLE ARCHIVE
 
X
 
 
 
 
 
 
ALTER
 TABLE UNARCHIVE
 
X
 
 
 
 
 
 
ALTER
 TABLE SET PROPERTIES
X
 
 
 
 
 
 
 
ALTER
 TABLE SET SERDE
X
 
 
 
 
 
 
 
ALTER
 TABLE SET SERDE
X
 
 
 
 
 
 
 
ALTER
 TABLE SET SERDEPROPERTIES
X
 
 
 
 
 
 
 
ALTER
 TABLE CLUSTER BY
X
 
 
 
 
 
 
 
ALTER
 TABLE PROTECT MODE
X
 
 
 
 
 
 
 
ALTER
 PARTITION PROTECT MODE
X
 
 
 
 
 
 
 
ALTER
 TABLE SET FILEFORMAT
X
 
 
 
 
 
 
 
ALTER
 PARTITION SET FILEFORMAT
X
 
 
 
 
 
 
 
ALTER
 TABLE SET LOCATION
 
X
 
 
 
 
 
 
ALTER
 PARTITION SET LOCATION
 
X
 
 
 
 
 
 
ALTER
 TABLE CONCATENATE
 
X
 
 
 
 
 
 
ALTER
 PARTITION CONCATENATE
 
X
 
 
 
 
 
 
SHOW
 DATABASES
 
 
 
 
 
 
 
X
LOCK
 TABLE
 
 
 
 
 
X
 
 
UNLOCK
 TABLE
 
 
 

原文：https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization