...
Privileges to add or drop functions and macros are restricted to the admin role.
To enable users to use functions, the ability to create permanent functions has been added. A user in the admin role can run commands to create these functions, which all users can then use.
...
Creates a new role. Only the admin role has privilege for this.
...
Drops the given role. Only the admin role has privilege for this.
...
The default current roles has all roles for the user except for the admin role (even if the user belongs to the admin role as well).
Any user can run this command.
...
List all currently existing roles.
Only the admin the admin role has privilege for this.
...
Currently revoking just the ADMIN OPTION is not possible. You need to revoke the principal’s role grant, and then grant the role to principal without admin option.
Show Role Grant
Code Block | ||
---|---|---|
| ||
SHOW ROLE GRANT (USER|ROLE) principal_name; |
...
Lists all roles and users who belong to this role.
Only the admin role has privilege for this.
...
Y + G: Privilege "WITH GRANT OPTION" required.
Action | Select | Insert | Delete | Ownership | Admin | URI Privilege (RWX Permission + Ownership) |
---|---|---|---|---|---|---|
CREATE TABLE | Y (of database) | Y (for create external table – the location) | ||||
DROP TABLE | Y | |||||
DESCRIBE TABLE | Y | |||||
SHOW PARTITIONS | Y | |||||
ALTER TABLE LOCATION | Y | Y (for new location) | ||||
ALTER PARTITION LOCATION | Y | Y (for new partition location) | ||||
ALTER TABLE ADD PARTITION | Y | Y (for partition location) | ||||
ALTER TABLE DROP PARTITION | Y | |||||
ALTER TABLE (all of them except the ones above) | Y | |||||
TRUNCATE TABLE | Y | |||||
CREATE VIEW | Y + G | |||||
ALTER VIEW PROPERTIES | Y | |||||
ALTER VIEW RENAME | Y | |||||
DROP VIEW PROPERTIES | Y | |||||
DROP VIEW | Y | |||||
ANALYZE TABLE | Y | Y | ||||
SHOW COLUMNS | Y | |||||
SHOW TABLE STATUS | Y | |||||
SHOW TABLE PROPERTIES | Y | |||||
CREATE TABLE AS SELECT | Y (of input) | Y (of database) | ||||
CREATE INDEX | Y (of table) | |||||
DROP INDEX | Y | |||||
ALTER INDEX REBUILD | Y | |||||
ALTER INDEX PROPERTIES | Y | |||||
QUERY (insert, select queries) | Y (input) | Y (output) | Y (output) | |||
LOAD | Y (output) | Y (output) | Y (input location) | |||
SHOW CREATE TABLE | Y+G | |||||
CREATE FUNCTION | Y | |||||
DROP FUNCTION | Y | |||||
CREATE MACRO | Y | |||||
DROP MACRO | Y | |||||
MSCK (metastore check) | Y | |||||
ALTER DATABASE | Y | |||||
CREATE DATABASE | Y (if custom location specified) | |||||
EXPLAIN | Y | |||||
DROP DATABASE | Y |
Configuration
Set the following in hive-site.xml:
Configuration
Set the following in hive-site.xml:
- hive.server2.enable.doAs to false.
- hive.users.in.admin.role to the list of comma-separated users
- hive.server2.enable.doAs to false.
- hive.users.in.admin.role to the list of comma-separated users who need to be added to admin role. Note that a user who belongs to the admin role needs to run the "
set role
" command before getting the privileges of the admin role, as this role is not in current roles by default.
...
- ISO 9075 Part 1 Framework sections 4.2.6, 4.6.11
- ISO 9075 Part 2 Foundation sections 4.35 and 12
Troubleshooting
...
Problem: My user name is in hive.users.in.admin.role in hive-site.xml, but I still get the error that user is not an admin. What could be wrong?
...
Do This: Ensure that you have restarted
...
HiveServer2 after
...
a configuration change and that you have
...
used the HiveServer2 command line options as described in Configuration above.
...
Do This: Ensure that you have run a 'set role
...
admin;' command to get the admin role.