一.再一次查询hive中的数据时爆出了如下错误:
Authorization failed:No privilege 'Select' found for inputs { database:hive,table:emp,columnName:id}.Use SHOW GRANT to get more details.
隐隐的感觉应该是自己开启hive权限控制后,现在使用的用户权限不足。因此只需要将select权限赋予用户即可。
二.Hive的权限控制并不是完全安全的。hive的权限控制是为了防止用户不小心做了不合适的操作。
若要使用Hive的授权机制,需修改hive-site.xml中设置,将其设为如下:
<property>
<name>hive.metastore.authorization.storage.checks</name>
<value>true</value>
<description>
Should the metastore do authorization checks against the underlying storage (usually hdfs)
for operations like drop-partition (disallow the drop-partition if the user in
question doesn't have permissions to delete the corresponding directory
on the storage).
</description>
</property>
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
<description>enable or disable the hive clientauthorization</description>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
<description>the privileges automatically granted to the ownerwhenever a table gets created. An example like "select,drop" willgrant select and drop privilege to the owner of the table</description>
</property>
hive.metastore.authorization.storage.checks将会阻止没有权限的用户进行表删除操作
hive.security.authorization.enabled参数是开启权限验证,默认为false。
hive.security.authorization.createtable.owner.grants参数是指表的创建者对表拥有所有权限
三. Hive 权限介绍,权限的授予、删除、使用案例、拥有权限的查看。授予权限
grant priv_type [,priv_type]... on table_name or view_name to
principal_spedification [,principal_spedification]... [with grant option];
(with grant option)则principal_spedification也具有grant和revoke权限
撤销权限
revoke [grant option for] priv_type [,priv_type]... on table_name or view_name
from principal_spedification [,principal_spedification]...;
(grant option for)表明撤销principal_spedification也具有grant和revoke权限
principal_spedification: user user_name|role role_name
priv_type: insert | select | update | delete | all等等
查看所具有的权限
show grant [principal_spedification:] on (all|([alter] table_or_view_name))
principal_spedification: user user|role role
四.角色的管理。
当我们希望一些特定的用户对某些特定的表只有特定操作权限时,我们可以将这些特定的操作权限授予自定义的角色中。通过自定义的角色来授予和撤下权限。这样可以提高共组效率,减少工作量。
创建/删除角色
create role role_name
drop role role_name
角色授予与撤销
grant role_name [,role_name] ... to principal_specification
[,principal_specification]...[with admin option];
principal_spedification: user user_name|role role_name
指定[with admin option],则被授予角色的用户或角色具有admin权限。
角色撤销
revoke [admin option for] role_name [,role_name] ...
from principal_specification [,principal_specification]...;
principal_spedification: user user|role role
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/30172158/viewspace-2088988/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/30172158/viewspace-2088988/