Authorization Privilege Model for Hive and Impala
The tables below describe the privileges that you can use with Hive and Impala, only Hive, and only Impala. For information about the Sentry privilege model, see Privilege Model.
Privileges can be granted on different objects in the Hive warehouse. Any privilege that can be granted is associated with a level in the object hierarchy. If a privilege is granted on a container object in the hierarchy, the base object automatically inherits it. For instance, if a user has ALL privileges on the database scope, then that user has ALL privileges on all of the base objects contained within that scope.
Note that because of this object hierarchy, it is possible for a user to read data from a database that the user does not have access to. For example, you have two roles:
- role1 - full access to database1 and database2
- role2 - full access to database1, no access to database2
A user with role1 can create a view in database1 based on a table in database2. Because role2 has access to database1, a user with role2 can read the data in that view from database2.
Object Hierarchy
Server URI Database Table Partition Columns View
Privilege | Object |
---|---|
INSERT | DB, TABLE |
SELECT | DB, TABLE, VIEW, COLUMN |
ALL | SERVER, TABLE, DB, URI |
- hdfs://host:port/directory_A/directory_B
- hdfs://host:port/directory_A/directory_B/directory_C
- hdfs://host:port/directory_A/directory_B/directory_C/directory_D
- hdfs://host:port/directory_A/directory_B/directory_E
Base Object | Granular privileges on object | Container object that contains the base object | Privileges on container object that implies privileges on the base object |
---|---|---|---|
DATABASE | ALL | SERVER | ALL |
TABLE | INSERT | DATABASE | ALL |
TABLE | SELECT | DATABASE | ALL |
COLUMN | SELECT | DATABASE | ALL |
VIEW | SELECT | DATABASE | ALL |
Privilege table for Hive & Impala operations
Operation | Scope | Privileges Required | URI |
---|---|---|---|
CREATE DATABASE | SERVER | ALL | |
DROP DATABASE | DATABASE | ALL | |
CREATE TABLE | DATABASE | ALL | |
DROP TABLE | TABLE | ALL | |
CREATE VIEW
-This operation is allowed if you have column-level SELECT access to the columns being used. |
DATABASE; SELECT on TABLE; | ALL | |
ALTER VIEW
-This operation is allowed if you have column-level SELECT access to the columns being used. |
VIEW/TABLE | ALL | |
DROP VIEW | VIEW/TABLE | ALL | |
ALTER TABLE .. ADD COLUMNS | TABLE | ALL | |
ALTER TABLE .. REPLACE COLUMNS | TABLE | ALL | |
ALTER TABLE .. CHANGE column | TABLE | ALL | |
ALTER TABLE .. RENAME | TABLE | ALL | |
ALTER TABLE .. SET TBLPROPERTIES | TABLE | ALL | |
ALTER TABLE .. SET FILEFORMAT | TABLE | ALL | |
ALTER TABLE .. SET LOCATION | TABLE | ALL | URI |
ALTER TABLE .. ADD PARTITION | TABLE | ALL | |
ALTER TABLE .. ADD PARTITION location | TABLE | ALL | URI |
ALTER TABLE .. DROP PARTITION | TABLE | ALL | |
ALTER TABLE .. PARTITION SET FILEFORMAT | TABLE | ALL | |
SHOW CREATE TABLE | TABLE | SELECT | |
SHOW PARTITIONS | TABLE | SELECT/INSERT | |
SHOW TABLES
-Output includes all the tables for which the user has table-level privileges and all the tables for which the user has some column-level privileges. |
TABLE | SELECT/INSERT | |
SHOW GRANT ROLE
-Output includes an additional field for any column-level privileges. |
TABLE | SELECT/INSERT | |
DESCRIBE TABLE
-Output shows all columns if the user has table level-privileges or SELECT privilege on at least one table column |
TABLE | SELECT/INSERT | |
LOAD DATA | TABLE | INSERT | URI |
SELECT
-You can grant the SELECT privilege on a view to give users access to specific columns of a table they do not otherwise have access to. -See Column-level Authorization for details on allowed column-level operations. |
VIEW/TABLE; COLUMN | SELECT | |
INSERT OVERWRITE TABLE | TABLE | INSERT | |
CREATE TABLE .. AS SELECT
-This operation is allowed if you have column-level SELECT access to the columns being used. |
DATABASE; SELECT on TABLE | ALL | |
USE <dbName> | Any | ||
CREATE FUNCTION | SERVER | ALL | |
ALTER TABLE .. SET SERDEPROPERTIES | TABLE | ALL | |
ALTER TABLE .. PARTITION SET SERDEPROPERTIES | TABLE | ALL |
Privilege table for Hive-only operations
Operation | Scope | Privileges Required | URI |
---|---|---|---|
INSERT OVERWRITE DIRECTORY | TABLE | INSERT | URI |
Analyze TABLE | TABLE | SELECT + INSERT | |
IMPORT TABLE | DATABASE | ALL | URI |
EXPORT TABLE | TABLE | SELECT | URI |
ALTER TABLE TOUCH | TABLE | ALL | |
ALTER TABLE TOUCH PARTITION | TABLE | ALL | |
ALTER TABLE .. CLUSTERED BY SORTED BY | TABLE | ALL | |
ALTER TABLE .. ENABLE/DISABLE | TABLE | ALL | |
ALTER TABLE .. PARTITION.. RENAME TO PARTITION | TABLE | ALL | |
MSCK REPAIR TABLE | TABLE | ALL | |
ALTER DATABASE | DATABASE | ALL | |
DESCRIBE DATABASE | DATABASE | SELECT/INSERT | |
SHOW COLUMNS
-Output for this operation filters columns to which the user does not have explicit SELECT access |
TABLE | SELECT/INSERT | |
CREATE INDEX | TABLE | ALL | |
DROP INDEX | TABLE | ALL | |
SHOW INDEXES | TABLE | SELECT/INSERT | |
GRANT PRIVILEGE | Allowed only for Sentry admin users | ||
REVOKE PRIVILEGE | Allowed only for Sentry admin users | ||
SHOW GRANT | Allowed only for Sentry admin users | ||
SHOW TBLPROPERTIES
This statement is only supported in Hive. |
TABLE | SELECT/INSERT | |
DESCRIBE TABLE .. PARTITION | TABLE | SELECT/INSERT | |
ADD ARCHIVE[S] | Not Allowed | ||
ADD FILE[S] | Not Allowed | ||
ADD JAR[S] | Not Allowed | ||
DELETE JAR[S] | Not Allowed | ||
DFS | Not Allowed | ||
LIST JAR[S] | Not Allowed | ||
SHOW CREATE VIEW | VIEW | SELECT |
Privilege table for Impala-only operations
Operation | Scope | Privileges Required | URI |
---|---|---|---|
EXPLAIN INSERT | TABLE; COLUMN | INSERT | |
EXPLAIN SELECT | TABLE; COLUMN | SELECT | |
INVALIDATE METADATA | SERVER | ALL | |
INVALIDATE METADATA <table name> | TABLE | SELECT/INSERT | |
REFRESH <table name> or REFRESH <table name> PARTITION (<partition_spec>) | TABLE | SELECT/INSERT | |
DROP FUNCTION | SERVER | ALL | |
COMPUTE STATS | TABLE | ALL | |
SHOW CREATE VIEW | VIEW / TABLE(S) | SELECT |
<< Synchronizing HDFS ACLs and Sentry Permissions | ©2016 Cloudera, Inc. All rights reserved | Authorization Privilege Model for Cloudera Search >> |
Terms and Conditions Privacy Policy |