HiveSQL Syntax for Use with Sentry
创建和删除角色
- 创建角色: create role ROLE_NAME
- 删除角色: droop role ROLE_NAME
CREATE ROLE admin_role;创建角色
droop role admin_role;删除角色
角色的授权和撤销
角色的授权(GRANT)就是给角色授予创建表、查询表等操作,撤销(REVOKE)反之。语法如下:
1 2 |
GRANT ROLE role_name [, role_name] TO GROUP <groupName> [,GROUP <groupName>] REVOKE ROLE role_name [, role_name] FROM GROUP <groupName> [,GROUP <groupName>]
GRANT ROLE admin_role TO GROUP `admin`; GRANT ROLE admin_role TO GROUP hive; 并授权给 admin和 hive组(对应操作系统上的组) GRANT ROLE analyst_role TO GROUP `analyst`
REVOKE ROLE admin_role from group hive; 撤销hive的admin_role权限
把role_test1角色授权给test组: grant role role_test1 to group test 查看test组被授权的角色: show role grant group test 取消test组的role_test1角色: revoke role role_test1 from group test
|
权限的授予和撤销
1 2 |
GRANT <PRIVILEGE> [, <PRIVILEGE> ] ON <OBJECT> <object_name> TO ROLE <roleName> [,ROLE <roleName>] REVOKE <PRIVILEGE> [, <PRIVILEGE> ] ON <OBJECT> <object_name> FROM ROLE <roleName> [,ROLE <roleName>]
GRANT ALL ON DATABASE analyst1 TO ROLE analyst_role; GRANT ALL ON DATABASE jranalyst1 TO ROLE analyst_role; REVOKE ALL ON DATABASE ztt_test from ROLE ztttest_role; 将数据库analyst1,jranalyst1的所有权限给analyst_role角色 analyst_role角色只能读写analyst1,jranalyst1数据库。
|
查看角色/组权限
1 2 3 4 5 |
SHOW ROLES; 查看有多少个role SHOW CURRENT ROLES; 查看当前登录的是用户属于哪个role SHOW ROLE GRANT GROUP <groupName>; 查看group所属的role SHOW GRANT ROLE <roleName>; 查看role所拥有的权限 SHOW GRANT ROLE <roleName> on<OBJECT> <objectName>; |
- Grant privileges to analyst_role:
1 2 3 4 |
CREATEROLE analyst_role; GRANT ALLONDATABASE analyst1TOROLE analyst_role; analust_role拥有对数据库analyst1的所有权限 GRANTSELECTONDATABASE jranalyst1TOROLE analyst_role; analyst_role只拥有对数据库jranalyst1的查询操作权限 GRANT ALLON URI'hdfs://ha-nn-uri/landing/analyst1'TOROLE analyst_role; |
- Grant privileges to junior_analyst_role:
1 2 3 4 |
CREATEROLE junior_analyst_role; GRANT ALLONDATABASE jranalyst1TOROLE junior_analyst_role; junior_analust_role拥有对数据库jranalyst1的所有权限 GRANT ALLON URI'hdfs://ha-nn-uri/landing/jranalyst1'TOROLE junior_analyst_role;
|
- Grant privileges to admin_role:
1 2 |
CREATEROLE admin_role GRANT ALLONSERVERserver1TOROLE admin_role; 将服务器server1上的所有权限给admin_role角色 GRANT allonDATABASEtesttorole admin_rolewithgrantoption; |
- Grant roles to groups:
1 2 3 |
GRANTROLE admin_roleTOGROUPadmin; admin用户组将拥有角色admin_role的权限 GRANTROLE analyst_roleTOGROUP analyst; GRANTROLE jranalyst_roleTOGROUP jranalyst; |
来自 <http://wzktravel.github.io/2016/02/25/Enabling-sentry-in-CDH/>