Versions Compared

Old Version 4

changes.mady.by.user Ashoat Tevosyan

Saved on

compared with

New Version 5

changes.mady.by.user Lefty Leverenz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: add links to Authorization overview page and other authorization docs

Index

Table of Contents

Info
titleAuthorization modes

This is the design document for the original Hive authorization mode. See Authorization for an overview of authorization modes, which include storage based authorization and SQL standards based authorization.

1. Privilege

1.1 Access Privilege

...

4.3 grant/revoke statement

Code Block


GRANT
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    ON [object_type] priv_level
    TO user [, user] ...
WITH ADMIN OPTION

object_type:
    TABLE

priv_level:
    *
  | *.*
  | db_name.*
  | db_name.tbl_name
  | tbl_name

REVOKE
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    ON [object_type] priv_level
    FROM user [, user] ...

REVOKE ALL PRIVILEGES, GRANT OPTION
    FROM user [, user] ...


DENY  
	priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    ON [object_type] priv_level
    FROM user [, user] ...

...

When a user logins to the system, he has a user name, one or few groups that he belongs to.
So it is

[

Code Block


username, 

list of group names, 

list of privileges and roles that has been directly granted, 

list of privileges and roles that been directly granted to groups that users belongs to

...

  • Steps to authorize one access: *
Code Block


First try user name:

 # If there is an entry in 'user' that accept this access, return ACCEPT

2. If there is an entry in 'db'  that accept this access, return ACCEPT

3. If there is an entry in 'table'  that accept this access, return ACCEPT

4. If there is an entry in 'column'  that accept this access, return ACCEPT

Second try the user's group/role names one by one until we get an ACCEPT. 

For each role/group, we do the same routine as we did for user name.

...

8. Metastore upgrade script for mysql

Code Block

--
-- Table structure for table {{ROLES}}
--

DROP TABLE IF EXISTS {{ROLES}};
CREATE TABLE {{ROLES}} (
  {{ROLE_ID}} bigint(20) NOT NULL,
  {{CREATE_TIME}} int(11) NOT NULL,
  {{OWNER_NAME}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{ROLE_NAME}} varchar(128) character set latin1 collate latin1_bin default NULL,
  PRIMARY KEY  ({{ROLE_ID}}),
  UNIQUE KEY {{ROLEENTITYINDEX}} ({{ROLE_NAME}})
) ENGINE=InnoDB DEFAULT CHARSET=latin1;


--
-- Table structure for table {{ROLE_MAP}}
--

DROP TABLE IF EXISTS {{ROLE_MAP}};
CREATE TABLE {{ROLE_MAP}} (
  {{ROLE_GRANT_ID}} bigint(20) NOT NULL,
  {{ADD_TIME}} int(11) NOT NULL,
  {{GRANT_OPTION}} smallint(6) NOT NULL,
  {{GRANTOR}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{GRANTOR_TYPE}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PRINCIPAL_NAME}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PRINCIPAL_TYPE}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{ROLE_ID}} bigint(20) default NULL,
  PRIMARY KEY  ({{ROLE_GRANT_ID}}),
  UNIQUE KEY {{USERROLEMAPINDEX}} ({{PRINCIPAL_NAME}},{{ROLE_ID}},{{GRANTOR}},{{GRANTOR_TYPE}}),
  KEY {{ROLE_MAP_N49}} ({{ROLE_ID}}),
  CONSTRAINT {{ROLE_MAP_FK1}} FOREIGN KEY ({{ROLE_ID}}) REFERENCES {{ROLES}} ({{ROLE_ID}})
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Table structure for table {{GLOBAL_PRIVS}}
--

DROP TABLE IF EXISTS {{GLOBAL_PRIVS}};
CREATE TABLE {{GLOBAL_PRIVS}} (
  {{USER_GRANT_ID}} bigint(20) NOT NULL,
  {{CREATE_TIME}} int(11) NOT NULL,
  {{GRANT_OPTION}} smallint(6) NOT NULL,
  {{GRANTOR}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{GRANTOR_TYPE}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PRINCIPAL_NAME}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PRINCIPAL_TYPE}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{USER_PRIV}} varchar(128) character set latin1 collate latin1_bin default NULL,
  PRIMARY KEY  ({{USER_GRANT_ID}}),
  UNIQUE KEY {{GLOBALPRIVILEGEINDEX}} ({{PRINCIPAL_NAME}},{{PRINCIPAL_TYPE}},{{USER_PRIV}},{{GRANTOR}},{{GRANTOR_TYPE}})
) ENGINE=InnoDB DEFAULT CHARSET=latin1;


--
-- Table structure for table {{DB_PRIVS}}
--

DROP TABLE IF EXISTS {{DB_PRIVS}};
CREATE TABLE {{DB_PRIVS}} (
  {{DB_GRANT_ID}} bigint(20) NOT NULL,
  {{CREATE_TIME}} int(11) NOT NULL,
  {{DB_ID}} bigint(20) default NULL,
  {{GRANT_OPTION}} smallint(6) NOT NULL,
  {{GRANTOR}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{GRANTOR_TYPE}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PRINCIPAL_NAME}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PRINCIPAL_TYPE}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{DB_PRIV}} varchar(128) character set latin1 collate latin1_bin default NULL,
  PRIMARY KEY  ({{DB_GRANT_ID}}),
  UNIQUE KEY {{DBPRIVILEGEINDEX}} ({{DB_ID}},{{PRINCIPAL_NAME}},{{PRINCIPAL_TYPE}},{{DB_PRIV}},{{GRANTOR}},{{GRANTOR_TYPE}}),
  KEY {{DB_PRIVS_N49}} ({{DB_ID}}),
  CONSTRAINT {{DB_PRIVS_FK1}} FOREIGN KEY ({{DB_ID}}) REFERENCES {{DBS}} ({{DB_ID}})
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Table structure for table {{TBL_PRIVS}}
--

DROP TABLE IF EXISTS {{TBL_PRIVS}};

CREATE TABLE {{TBL_PRIVS}} (
  {{TBL_GRANT_ID}} bigint(20) NOT NULL,
  {{CREATE_TIME}} int(11) NOT NULL,
  {{GRANT_OPTION}} smallint(6) NOT NULL,
  {{GRANTOR}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{GRANTOR_TYPE}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PRINCIPAL_NAME}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PRINCIPAL_TYPE}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{TBL_PRIV}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{TBL_ID}} bigint(20) default NULL,
  PRIMARY KEY  ({{TBL_GRANT_ID}}),
  KEY {{TBL_PRIVS_N49}} ({{TBL_ID}}),
  KEY {{TABLEPRIVILEGEINDEX}} ({{TBL_ID}},{{PRINCIPAL_NAME}},{{PRINCIPAL_TYPE}},{{TBL_PRIV}},{{GRANTOR}},{{GRANTOR_TYPE}}),
  CONSTRAINT {{TBL_PRIVS_FK1}} FOREIGN KEY ({{TBL_ID}}) REFERENCES {{TBLS}} ({{TBL_ID}})
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Table structure for table {{PART_PRIVS}}
--

DROP TABLE IF EXISTS {{PART_PRIVS}};

CREATE TABLE {{PART_PRIVS}} (
  {{PART_GRANT_ID}} bigint(20) NOT NULL,
  {{CREATE_TIME}} int(11) NOT NULL,
  {{GRANT_OPTION}} smallint(6) NOT NULL,
  {{GRANTOR}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{GRANTOR_TYPE}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PART_ID}} bigint(20) default NULL,
  {{PRINCIPAL_NAME}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PRINCIPAL_TYPE}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PART_PRIV}} varchar(128) character set latin1 collate latin1_bin default NULL,
  PRIMARY KEY  ({{PART_GRANT_ID}}),
  KEY {{PARTPRIVILEGEINDEX}} ({{PART_ID}},{{PRINCIPAL_NAME}},{{PRINCIPAL_TYPE}},{{PART_PRIV}},{{GRANTOR}},{{GRANTOR_TYPE}}),
  KEY {{PART_PRIVS_N49}} ({{PART_ID}}),
  CONSTRAINT {{PART_PRIVS_FK1}} FOREIGN KEY ({{PART_ID}}) REFERENCES {{PARTITIONS}} ({{PART_ID}})
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Table structure for table {{TBL_COL_PRIVS}}
--

DROP TABLE IF EXISTS {{TBL_COL_PRIVS}};
CREATE TABLE {{TBL_COL_PRIVS}} (
  {{TBL_COLUMN_GRANT_ID}} bigint(20) NOT NULL,
  {{COLUMN_NAME}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{CREATE_TIME}} int(11) NOT NULL,
  {{GRANT_OPTION}} smallint(6) NOT NULL,
  {{GRANTOR}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{GRANTOR_TYPE}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PRINCIPAL_NAME}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PRINCIPAL_TYPE}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{TBL_COL_PRIV}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{TBL_ID}} bigint(20) default NULL,
  PRIMARY KEY  ({{TBL_COLUMN_GRANT_ID}}),
  KEY {{TABLECOLUMNPRIVILEGEINDEX}} ({{TBL_ID}},{{COLUMN_NAME}},{{PRINCIPAL_NAME}},{{PRINCIPAL_TYPE}},{{TBL_COL_PRIV}},{{GRANTOR}},{{GRANTOR_TYPE}}),
  KEY {{TBL_COL_PRIVS_N49}} ({{TBL_ID}}),
  CONSTRAINT {{TBL_COL_PRIVS_FK1}} FOREIGN KEY ({{TBL_ID}}) REFERENCES {{TBLS}} ({{TBL_ID}})
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

DROP TABLE IF EXISTS {{PART_COL_PRIVS}};
CREATE TABLE {{PART_COL_PRIVS}} (
  {{PART_COLUMN_GRANT_ID}} bigint(20) NOT NULL,
  {{COLUMN_NAME}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{CREATE_TIME}} int(11) NOT NULL,
  {{GRANT_OPTION}} smallint(6) NOT NULL,
  {{GRANTOR}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{GRANTOR_TYPE}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PART_ID}} bigint(20) default NULL,
  {{PRINCIPAL_NAME}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PRINCIPAL_TYPE}} varchar(128) character set latin1 collate latin1_bin default NULL,
  {{PART_COL_PRIV}} varchar(128) character set latin1 collate latin1_bin default NULL,
  PRIMARY KEY  ({{PART_COLUMN_GRANT_ID}}),
  KEY {{PART_COL_PRIVS_N49}} ({{PART_ID}}),
  KEY {{PARTITIONCOLUMNPRIVILEGEINDEX}} ({{PART_ID}},{{COLUMN_NAME}},{{PRINCIPAL_NAME}},{{PRINCIPAL_TYPE}},{{PART_COL_PRIV}},{{GRANTOR}},{{GRANTOR_TYPE}}),
  CONSTRAINT {{PART_COL_PRIVS_FK1}} FOREIGN KEY ({{PART_ID}}) REFERENCES {{PARTITIONS}} ({{PART_ID}})
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

...