Versions Compared

Old Version 5

changes.mady.by.user Thejas Nair

Saved on

compared with

New Version 6

changes.mady.by.user Thejas Nair

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


CREATE ROLE <rolename>;
Creates a new role. Only admin role has privilege for this.
The role names ALL, DEFAULT and NONE are reserved.

DROP ROLE  <rolename>;
Drops the given role. Only admin role has privilege for this.

SHOW CURRENT ROLES;
Shows the list of current roles. All actions of the user are authorized by looking at the privileges of the user and all current roles of the user.
The default current roles has all roles for the user except for the admin role (even if the user belongs to the admin role as well).
Any user can run this command.

SET ROLE (<rolename>|ALL)
If a <rolename> is specified, then that role becomes the only role in current roles.
Setting role name to ALL refereshes the list of current roles (in case new roles were granted to the user) and sets them to default list of roles.

If a role the user does not belong to is specified as the <rolename>, it will result in an error.

SHOW ROLES
List all currently existing roles.
Only admin role has privilege for this.

GRANT ROLE <role_name> [, <role_name>] ...
TO principal_specification [, principal_specification] ...
[ WITH ADMIN OPTION ]

principal_specification
  : USER user
  | ROLE role

Grant one or more roles to other roles or users.
If “WITH ADMIN OPTION” is specified, then the user gets privileges to grant the role to other users/roles.
If the grant statement ends up creating  a cycling relationship between roles, the command will fail with an error.


REVOKE ROLE <role_name> [, <role_name>] ...
FROM principal_specification [, principal_specification] ...

principal_specification
  : USER user
  | ROLE role

Revokes the membership of the roles from the user/roles in the FROM clause.
Currently revoking just the ADMIN OPTION is not possible. You need to revoke the principal’s role grant, and then grant the role to principal without admin option.

SHOW ROLE GRANT (USER|ROLE) <principalname>
Where principal name is the name of a user or role.

Lists all roles the given user or role has been granted.
Currently any user can run this command. But this is likely to change in future to allow users to see only their own role grants, and additional privileges would be needed to see role grants of other users.
 
0: jdbc:hive2://localhost:10000> GRANT role1 TO USER user1 ;
No rows affected (0.058 seconds)

0: jdbc:hive2://localhost:10000> SHOW ROLE GRANT USER user1
+---------+---------------+----------------+----------+
|  role   | grant_option  |   grant_time   | grantor  |
+---------+---------------+----------------+----------+
| public  | false         | 0              |          |
| role1   | false         | 1398284083000  | uadmin   |
+---------+---------------+----------------+----------+


SHOW PRINCIPALS <rolename>
Lists all roles and users who belong to this role.
Only admin role has privilege for this.

0: jdbc:hive2://localhost:10000> SHOW PRINCIPALS role1;
+-----------------+-----------------+---------------+----------+---------------+----------------+
| principal_name  | principal_type  | grant_option  | grantor  | grantor_type  |   grant_time   |
+-----------------+-----------------+---------------+----------+---------------+----------------+
| role2           | ROLE            | false         | uadmin   | USER          | 1398285926000  |
| role3           | ROLE            | true          | uadmin   | USER          | 1398285946000  |
| user1           | USER            | false         | uadmin   | USER          | 1398285977000  |
+-----------------+-----------------+---------------+----------+---------------+----------------+

Managing object privileges

GRANT

    priv_type [, priv_type ] ...

    ON <table_or_view_name>

    TO principal_specification [, principal_specification] ...

    [WITH GRANT OPTION]

 

REVOKE

    priv_type [, priv_type ] ...

    ON <table_or_view_name>

    FROM principal_specification [, principal_specification] ...


principal_specification
  : USER user
  | ROLE role

If a user is granted a privilege WITH GRANT OPTION on a user or a role, then the user can also grant other users the privileges it has on those tables.

 

Note that in case of the REVOKE statement, the DROP-BEHAVIOR option of CASCADE is not currently supported (which is in SQL standard). As a result, the revoke statement will not drop any dependent privileges. For details on CASCADE behavior, you can check the postgres revoke documentation.

 

 

Configuration

Set the following to hive-site.xml
hive.server2.enable.doAs to false.
hive.users.in.admin.role to the list of comma separated users who need to be added to admin role

Start hiveserver2 with the following additional commandline options -

-hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory

-hiveconf hive.security.authorization.enabled=true

-hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator.

-hiveconf hive.metastore.uris=' '

 

References

For information on the SQL standard for security see:

...