...
● ALL PRIVILEGES - gives all privileges (gets translated into all the above privileges).
Objects
- The privileges will apply to table and views. The above privileges are not supported on databases.
- Database ownership is considered for certain actions
- URI is another object in hive, as hive allows the use of URI in sql syntax. The above privileges are not applicable on URI. URI used are expected to point to a file/directory in a file system. Authorization is done based on the permissions the user has on the file/directory.
...
For certain actions, the ownership of the object (table/view/database) determines if you are authorized to perform the action.
The user who creates the table,view or database becomes its owner. In case of tables and views, the owner gets all the privileges with grant option.
A role can also be the owner of a Database. The alter database command can be used to set the owner of a database to a role.
Users and Roles
Privileges can be granted to users as well as roles.
Users can belong to one or more roles.
...
Action | Select | Insert | Delete | Ownership | Admin | URI privilege (RWX permission + Ownership) | |
---|---|---|---|---|---|---|---|
CREATE TABLE | Y -Of Database | RWX + Ownership: for Y (For create external table - the location) | |||||
DROP TABLE | Y | ||||||
DESCRIBE TABLE | Y | ||||||
SHOW PARTITIONS | Y | ||||||
ALTER TABLE LOCATION | Y | RWX + Ownership of Y (for new location) | |||||
ALTER PARTITION LOCATION | Y | RWX + Ownership of new location | Y (for new partition location) | ||||
ALTER TABLE ADD PARTITION | Y | Y (for partition location) | |||||
ALTER TABLE (all of them except the ones above)ALTER TABLE | Y | ||||||
TRUNCATE TABLE | Y | ||||||
CREATE VIEW | Y + G | ||||||
ALTER VIEW PROPERTIES | Y | ||||||
ALTER VIEW RENAME | Y | ||||||
DROP VIEW PROPERTIES | Y | ||||||
DROP VIEW | Y | ||||||
ANALYZE TABLE | Y | Y | |||||
SHOW COLUMNS | Y | ||||||
SHOW TABLE STATUS | Y | ||||||
SHOW TABLE PROPERTIES | Y | ||||||
CREATE TABLE AS SELECT | Y (of input) | Y (of database) | |||||
CREATE INDEX | Y(of table) | ||||||
DROP INDEX | Y | ||||||
ALTER INDEX REBUILD | Y | ||||||
ALTER INDEX PROPERTIES | Y | ||||||
QUERY (insert, select queries) | Y (input) | Y(output) | Y(output) | ||||
LOAD | Y(output) | Y(output) | Y (input location) | ||||
SHOW CREATE TABLE | Y+G | ||||||
CREATE FUNCTION | Y | ||||||
DROP FUNCTION | Y | ||||||
CREATE MACRO | Y | ||||||
DROP MACRO | Y | ||||||
MSCK (metastore check) | Y | ||||||
ALTER DATABASE | Y | ||||||
CREATE DATABASE | Y (if custom location specified) | ||||||
EXPLAIN | Y | ||||||
DROP DATABASE | Y |
Configuration
Set the following to hive-site.xml
hive.server2.enable.doAs to false.
hive.users.in.admin.role to the list of comma separated users who need to be added to admin role
...