...
SHOW GRANT [principal_name] ON (ALL| ([TABLE] <table_or_view_name>)
Currently any user can run this command. But this is likely to change in future to allow users to see only their own privileges, and additional privileges would be needed to see privileges of other users.
Examples:
Find out privileges user ashutosh has on table hivejiratable.0: jdbc:hive2://localhost:10000> show grant user ashutosh on table hivejiratable;
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas |
| default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
Find out privileges user ashutosh has on all objects.0: jdbc:hive2://localhost:10000> show grant user ashutosh on all;
+-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| default | hivecontributors | | | ashutosh | USER | DELETE | false | 1398303576000 | thejas |
| default | hivecontributors | | | ashutosh | USER | INSERT | false | 1398303576000 | thejas |
| default | hivecontributors | | | ashutosh | USER | SELECT | false | 1398303576000 | thejas |
| default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas |
| default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas |
+-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
Find out the privileges all users have on table hivejiratable.0: jdbc:hive2://localhost:10000> show grant on table hivejiratable;
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas |
| default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas |
| default | hivejiratable | | | navis | USER | INSERT | false | 1398303650000 | thejas |
| default | hivejiratable | | | navis | USER | SELECT | false | 1398303650000 | thejas |
| default | hivejiratable | | | public | ROLE | SELECT | false | 1398303481000 | thejas |
| default | hivejiratable | | | thejas | USER | DELETE | true | 1398303380000 | thejas |
| default | hivejiratable | | | thejas | USER | INSERT | true | 1398303380000 | thejas |
| default | hivejiratable | | | thejas | USER | SELECT | true | 1398303380000 | thejas |
| default | hivejiratable | | | thejas | USER | UPDATE | true | 1398303380000 | thejas |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
Privilege required for Hive operations
Codes :
Y - Privilege required
Y + G = Privilege 'WITH GRANT OPTION' required.
Action | Select | Insert | Delete | Ownership | Admin | URI privilege |
---|---|---|---|---|---|---|
CREATE TABLE | Y -Of Database | RWX + Ownership: for external table location | ||||
DROP TABLE | Y | |||||
DESCRIBE TABLE | Y | |||||
SHOW PARTITIONS | Y | |||||
ALTER TABLE LOCATION | Y | RWX + Ownership of new location | ||||
ALTER PARTITION LOCATION | Y | RWX + Ownership of new location | ||||
ALTER TABLE |
Configuration
Set the following to hive-site.xml
hive.server2.enable.doAs to false.
hive.users.in.admin.role to the list of comma separated users who need to be added to admin role
...
-hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
-hiveconf hive.security.authorization.enabled=true
-hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator.
-hiveconf hive.metastore.uris=' '
Known Issues
References
For information on the SQL standard for security see:
...