hive wiki地址:
https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode
hive默认的授权认证机制,能够保证正确的用户做正确的事,这个认证并不是完全安全的,wiki上推荐使用基于hiveserve2的认证,因为任何用户都可以创建role和授予权限等(这个可以通过自定义hive的hook,限定hive的授权role的用户验证)
配置hive-site.xml
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
<description>enable or disable the hive client authorization</description>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
<description>the privileges automatically granted to the owner whenever a table gets created.
An example like "select,drop" will grant select and drop privilege to the owner of the table</description>
<name>hive.security.authorization.enabled</name>
<value>true</value>
<description>enable or disable the hive client authorization</description>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
<description>the privileges automatically granted to the owner whenever a table gets created.
An example like "select,drop" will grant select and drop privilege to the owner of the table</description>
</property>
用户,用户组,角色
其中用户和用户组是linux系统层面的,role是hive层面创建的。
以下是一些测试
1.测试环境:
hive库: rec (属于rec组用户) 表rectest1
: dwd(属于data_platform组用户) 表t1
用户:用户组
rec:rec
rec1:rec
data_platform:data_platform
(1) create role role_rec;
(2) grant role role_rec to group rec;
默认权限是用户便只能访问自己用户创建的表,其他用户创建的表即使hdfs上权限为777,也不能够访问。
(3)
grant all on database dwd to role role_rec;
这样的话rec用户组的用户就可以访问dwd库了。
(4)
grant all on database rec to role role_rec;
这样的话rec的用户组用户就可以访问rec库了,(rec1页可以访问了)
由此可见,role所拥有的权限,会传递给拥有该role的用户或者用户组。
Create/Drop Role(创建/删除role)
CREATE ROLE role_name
DROP ROLE role_name
DROP ROLE role_name
Grant/Revoke Roles(将role授予到user或者group或者role)
GRANT ROLE role_name [, role_name] ...
TO principal_specification [, principal_specification] ...
[WITH ADMIN OPTION]
REVOKE [ADMIN OPTION FOR] ROLE role_name [, role_name] ...
FROM principal_specification [, principal_specification] ...
principal_specification:
USER user
| GROUP group
TO principal_specification [, principal_specification] ...
[WITH ADMIN OPTION]
REVOKE [ADMIN OPTION FOR] ROLE role_name [, role_name] ...
FROM principal_specification [, principal_specification] ...
principal_specification:
USER user
| GROUP group
| ROLE role
Viewing Granted Roles(查询role的宿主)
SHOW ROLE GRANT principal_specification
principal_specification:
USER user
| GROUP group
principal_specification:
USER user
| GROUP group
| ROLE role
Grant/Revoke Privileges(授予、解除权限)
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_specification]
TO principal_specification [, principal_specification] ...
[WITH GRANT OPTION]
REVOKE [GRANT OPTION FOR]
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_specification]
FROM principal_specification [, principal_specification] ...
REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user [, user] ...
priv_type:
ALL | ALTER | UPDATE | CREATE | DROP
| INDEX | LOCK | SELECT | SHOW_DATABASE
object_specification:
TABLE tbl_name
| DATABASE db_name
principal_specification:
USER user
| GROUP group
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_specification]
TO principal_specification [, principal_specification] ...
[WITH GRANT OPTION]
REVOKE [GRANT OPTION FOR]
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_specification]
FROM principal_specification [, principal_specification] ...
REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user [, user] ...
priv_type:
ALL | ALTER | UPDATE | CREATE | DROP
| INDEX | LOCK | SELECT | SHOW_DATABASE
object_specification:
TABLE tbl_name
| DATABASE db_name
principal_specification:
USER user
| GROUP group
| ROLE role
Viewing Granted Privileges(查看权限)
SHOW GRANT principal_specification
[ON object_specification [(column_list)]]
principal_specification:
USER user
| GROUP group
| ROLE role
object_specification:
TABLE tbl_name
| DATABASE db_name
[ON object_specification [(column_list)]]
principal_specification:
USER user
| GROUP group
| ROLE role
object_specification:
TABLE tbl_name
| DATABASE db_name