hive使用时的用户权限问题

0: jdbc:hive2://node1:10000> create role root;

Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : ljr is not allowed to add roles. User has to belong to ADMIN role and have it as current role, for this action. (state=08S01,code=1)

对于由于用户权限引起的报错，我们知道只要对用户进行授予相关的权限就可以解决问题，但是最令人疑惑的是，这个授权的boss是谁？我们可以从报错内容看出授权的必须是belong to ADMIN role and have it as current role（属于超级管理员的角色，并且是当前的角色），下面讨论怎么进行设置；

解决办法：

1、在hive-site.xml中指定超级管理员：

vim $HIVE_HOME/conf/hive-site.xml

<!-- 指定超级管理员 -->

<property>

  <name>hive.users.in.admin.role</name>

  <value>ljr</value>

</property>

2、通过beeline以ljr用户进入hive 

beeline -u jdbc:hive2://node1:10000 -n ljr

分别执行以下操作

set hive.users.in.admin.role;

set role admin;

create role root;

到此可以发现用户ljr已经有了创建角色的权限；事实上ljr已经拥有了hive超级管理员的所有权限

比如：未进行set role admin;时ljr是无权将test库的权限开放给其他用户的

0: jdbc:hive2://node1:10000> grant all on database test to user root;

Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied: Principal [name=ljr, type=USER] does not have following privileges for operation GRANT_PRIVILEGE [[SELECT with grant, INSERT with grant, UPDATE with grant, DELETE with grant] on Object [type=DATABASE, name=test]] (state=08S01,code=1)

但进行以上操作后可以发现ljr可以对test库进行授权了

0: jdbc:hive2://node1:10000> grant all on database test to user root;

0: jdbc:hive2://node1:10000> show grant user root;