Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagetext
SET ROLE (role_name|ALL|NONE);

If a role_name is specified, then that role becomes the only role in current roles.

Setting role_name to ALL refreshes the list of current roles (in case new roles were granted to the user) and sets them to the default list of roles.

Setting role_name to NONE will remove all current roles from the current user. (It's introduced in HIVE-11780 and will be included in the upcoming versions 1.3.0 and 1.2.2.)

If a role the user does not belong to is specified as the role_name, it will result in an error.

...

Note that in case of the REVOKE statement, the DROP-BEHAVIOR option of CASCADE is not currently supported (which is in SQL standard). As a result, the revoke statement will not drop any dependent privileges. For details on CASCADE behavior, you can check the Postgres revoke documentationbehavior, you can check the Postgres revoke documentation.

Examples:

Code Block
languagetext
0: jdbc:hive2://localhost:10000/default> grant select on table secured_table to role my_role;
No rows affected (0.046 seconds)

0: jdbc:hive2://localhost:10000/default> revoke update, select on table secured_table from role my_role;
No rows affected (0.028 seconds)

Notice that in Hive, unlike in standard SQL, USER or ROLE must be specified in the principal_specification.

Show Grant

Code Block
languagetext
SHOW GRANT [principal_namespecification] ON (ALL | ([TABLE] table_or_view_name)

...

;
 
principal_specification
  : USER user
  | ROLE role

Currently any user can run this command. But this is likely to change in the future to allow users to see only their own privileges, and additional privileges would be needed to see privileges of other users.

...

Action
Select
Insert
Update
Delete
Ownership
Admin
URI Privilege (RWX Permission + Ownership)
CREATE TABLE    Y (of database) Y  (for create external table – the location)
DROP TABLE    Y  
DESCRIBE TABLEY      
SHOW PARTITIONSY      
ALTER TABLE LOCATION    Y Y (for new location)
ALTER PARTITION LOCATION    Y Y (for new partition location)
ALTER TABLE ADD PARTITION Y    Y (for partition location)
ALTER TABLE DROP PARTITION   Y   
ALTER TABLE (all of them except the ones above)    Y  
TRUNCATE TABLE    Y  
CREATE VIEWY + G      
ALTER VIEW PROPERTIES    Y  
ALTER VIEW RENAME    Y  
DROP VIEW PROPERTIES    Y  
DROP VIEW    Y  
ANALYZE TABLEYY     
SHOW COLUMNSY      
SHOW TABLE STATUSY      
SHOW TABLE PROPERTIESY      
CREATE TABLE AS SELECTY (of input)   Y (of database)  
CREATE INDEX    Y (of table)  
DROP INDEX    Y  
ALTER INDEX REBUILD    Y  
ALTER INDEX PROPERTIES    Y  
SELECTY      
INSERT Y Y (for OVERWRITE)   
UPDATE  Y    
DELETE   Y   
LOAD Y (output) Y (output)  Y (input location)
SHOW CREATE TABLEY+G      
CREATE FUNCTION     Y 
DROP FUNCTION     Y 
CREATE MACRO     Y 
DROP MACRO     Y 
MSCK (metastore check)     Y 
ALTER DATABASE     Y 
CREATE DATABASE      Y (if custom location specified)
EXPLAINY      
DROP DATABASE    Y  
Info
titleVersion Information

As of Hive 3.0.0 (HIVE-12408), Ownership is not required for the URI Privilege.


Configuration

For Hive 0.13.x

...

  • -hiveconf hive.security.authorization.enabled=true
  • -hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator
  • -hiveconf hive.metastore.uris=' '

For Hive 0.14 and

...

Newer

Set the following in hive-site.xml:

...

Set the following in hiveserver2-site.xml:

  • -hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
  • -hiveconf hive.security.authorization.enabled=true
  • -hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator
  • -hiveconf hive.metastore.uris=' '

Known Issues

...