1.查看hive的角色
hive> show roles;
FAILED: SemanticException The current builtin authorization in Hive is incomplete and disabled.
hive> set hive.security.authorization.task.factory = org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl;
hive> show roles;
OK
admin
public
test_role
遇到报错如上图设置即可。
2. 打开权限控制开关
hive> set hive.security.authorization.enabled=true;
3.配置默认权限
hive> hive.security.authorization.createtable.owner.grants = ALL
hive> hive.security.authorization.createtable.role.grants = admin_role:ALL
hive> hive.security.authorization.createtable.user.grants = user1,user2:select;user3:create
4.修改配置文件hive-site.xml,添加配置
[root@host150 conf]# vim hive-site.xml
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
</property>
<property>
<name>hive.security.authorization.task.factory</name>
<value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
</property>
5.创建角色分配给用户
hive> CREATE ROLE xiaodu_role;
hive> GRANT ROLE xiaodu_role TO USER xiaodu;
6.分配权限
6.1基于角色分配权限
GRANT CREATE ON DATABASE smart_test TO group xiaodu_role;
GRANT SELECT on table test_table to group test_role;
GRANT DROP on table test_table to group test_role;
GRANT ALL on table test_table to group test_role;
6.2基于用户分配权限
GRANT CREATE ON DATABASE smart_test TO user xiaodu;
GRANT SELECT on table test_table to user xiaodu;
GRANT DROP on table test_table to user xiaodu;
GRANT ALL on table test_table to user xiaodu;
6.3分配创建数据库的权限
GRANT CREATE TO user root;
6.4查看权限分配
SHOW GRANT user xiaodu ON DATABASE smart_test;
SHOW GRANT user xiaodu ON TABLE ed3_prd_inst_inject_label_ext0;
SHOW GRANT group xiaodu_role ON DATABASE smart_test;
SHOW GRANT group xiaodu_role ON TABLE ed3_prd_inst_inject_label_ext0;
6.5删除权限
revoke all on database smart_test from user xiaodu;
7.hive支持权限
ALL:所有权限
ALTER:允许修改元数据(modify metadata data of object)---表信息数据
UPDATE:允许修改物理数据(modify physical data of object)---实际数据
CREATE:允许进行Create操作
DROP:允许进行DROP操作
INDEX:允许建索引(目前还没有实现)
LOCK:当出现并发的使用允许用户进行LOCK和UNLOCK操作
SELECT:允许用户进行SELECT操作
SHOW_DATABASE:允许用户查看可用的数据库
8.登录hive元数据库,查看权限表
Db_privs:记录了User/Role在DB上的权限
Tbl_privs:记录了User/Role在table上的权限
Tbl_col_privs:记录了User/Role在table column上的权限
Roles:记录了所有创建的role
Role_map:记录了User与Role的对应关系