THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!

Page History

Versions Compared

Key

This line was added.
This line was removed.
Formatting was changed.

...

SHOW GRANT [principal_name] ON (ALL| ([TABLE] <table_or_view_name>)
Currently any user can run this command. But this is likely to change in future to allow users to see only their own privileges, and additional privileges would be needed to see privileges of other users.

Examples:
Find out privileges user ashutosh has on table hivejiratable.

0: jdbc:hive2://localhost:10000> show grant user ashutosh on table hivejiratable;
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database |     table      | partition | column | principal_name | principal_type | privilege | grant_option |   grant_time   | grantor |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| default   | hivejiratable |            |         | ashutosh        | USER            | DELETE     | false         | 1398303419000 | thejas   |
| default   | hivejiratable |            |         | ashutosh        | USER            | SELECT     | false         | 1398303407000 | thejas   |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+

Find out privileges user ashutosh has on all objects.

0: jdbc:hive2://localhost:10000> show grant user ashutosh on all;
+-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database |       table       | partition | column | principal_name | principal_type | privilege | grant_option |   grant_time   | grantor |
+-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| default   | hivecontributors |            |         | ashutosh        | USER            | DELETE     | false         | 1398303576000 | thejas   |
| default   | hivecontributors |            |         | ashutosh        | USER            | INSERT     | false         | 1398303576000 | thejas   |
| default   | hivecontributors |            |         | ashutosh        | USER            | SELECT     | false         | 1398303576000 | thejas   |
| default   | hivejiratable     |            |         | ashutosh        | USER            | DELETE     | false         | 1398303419000 | thejas   |
| default   | hivejiratable     |            |         | ashutosh        | USER            | SELECT     | false         | 1398303407000 | thejas   |
+-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+

Find out the privileges all users have on table hivejiratable.

0: jdbc:hive2://localhost:10000> show grant on table hivejiratable;
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database |     table      | partition | column | principal_name | principal_type | privilege | grant_option |   grant_time   | grantor |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| default   | hivejiratable |            |         | ashutosh        | USER            | DELETE     | false         | 1398303419000 | thejas   |
| default   | hivejiratable |            |         | ashutosh        | USER            | SELECT     | false         | 1398303407000 | thejas   |
| default   | hivejiratable |            |         | navis           | USER            | INSERT     | false         | 1398303650000 | thejas   |
| default   | hivejiratable |            |         | navis           | USER            | SELECT     | false         | 1398303650000 | thejas   |
| default   | hivejiratable |            |         | public          | ROLE            | SELECT     | false         | 1398303481000 | thejas   |
| default   | hivejiratable |            |         | thejas          | USER            | DELETE     | true          | 1398303380000 | thejas   |
| default   | hivejiratable |            |         | thejas          | USER            | INSERT     | true          | 1398303380000 | thejas   |
| default   | hivejiratable |            |         | thejas          | USER            | SELECT     | true          | 1398303380000 | thejas   |
| default   | hivejiratable |            |         | thejas          | USER            | UPDATE     | true          | 1398303380000 | thejas   |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+

Privilege required for Hive operations

Codes :

Y - Privilege required

Y + G = Privilege 'WITH GRANT OPTION' required.

Action	Select	Insert	Delete	Ownership	Admin	URI privilege
CREATE TABLE				Y -Of Database		RWX + Ownership: for external table location
DROP TABLE				Y
DESCRIBE TABLE	Y
SHOW PARTITIONS	Y
ALTER TABLE LOCATION				Y		RWX + Ownership of new location
ALTER PARTITION LOCATION				Y		RWX + Ownership of new location
ALTER TABLE

Configuration

Set the following to hive-site.xml
hive.server2.enable.doAs to false.
hive.users.in.admin.role to the list of comma separated users who need to be added to admin role

...

-hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory

-hiveconf hive.security.authorization.enabled=true

-hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator.

-hiveconf hive.metastore.uris=' '

Known Issues

References

For information on the SQL standard for security see:

...