Cloudera Enterprise 6.0.x | Other versions

Authorization Privilege Model for Hive and Impala

The tables below describe the privileges that you can use with Hive and Impala, only Hive, and only Impala. For information about the Sentry privilege model, see Privilege Model.

Privileges can be granted on different objects in the Hive warehouse. Any privilege that can be granted is associated with a level in the object hierarchy. If a privilege is granted on a container object in the hierarchy, the base object automatically inherits it. For instance, if a user has ALL privileges on the database scope, then that user has ALL privileges on all of the base objects contained within that scope.

  Important:

Note that because of this object hierarchy, it is possible for a user to read data from a database that the user does not have access to. For example, you have two roles:

  • role1 - full access to database1 and database2
  • role2 - full access to database1, no access to database2

A user with role1 can create a view in database1 based on a table in database2. Because role2 has access to database1, a user with role2 can read the data in that view from database2.

Object Hierarchy

Server
     URI
     Database
         Table
             Partition
             Columns
         View
Table 1. Valid privilege types and objects they apply to
Privilege Object
INSERT DB, TABLE
SELECT DB, TABLE, VIEW, COLUMN
ALL SERVER, TABLE, DB, URI
Note that when you grant ALL on a URI, those permissions extend into the subdirectories in that path. For example, if a role has ALL on the following URI:
  • hdfs://host:port/directory_A/directory_B
That role will also have ALL on these directories:
  • hdfs://host:port/directory_A/directory_B/directory_C
  • hdfs://host:port/directory_A/directory_B/directory_C/directory_D
  • hdfs://host:port/directory_A/directory_B/directory_E
URI permissions do not affect HDFS ACL's.
Table 2. Privilege hierarchy
Base Object Granular privileges on object Container object that contains the base object Privileges on container object that implies privileges on the base object
DATABASE ALL SERVER ALL
TABLE INSERT DATABASE ALL
TABLE SELECT DATABASE ALL
COLUMN SELECT DATABASE ALL
VIEW SELECT DATABASE ALL

Privilege table for Hive & Impala operations

Operation Scope Privileges Required URI
CREATE DATABASE SERVER ALL  
DROP DATABASE DATABASE ALL  
CREATE TABLE DATABASE ALL  
DROP TABLE TABLE ALL  
CREATE VIEW

-This operation is allowed if you have column-level SELECT access to the columns being used.

 DATABASE; SELECT on TABLE; ALL  
ALTER VIEW

-This operation is allowed if you have column-level SELECT access to the columns being used.

 VIEW/TABLE ALL  
DROP VIEW VIEW/TABLE ALL  
ALTER TABLE .. ADD COLUMNS TABLE ALL  
ALTER TABLE .. REPLACE COLUMNS TABLE ALL  
ALTER TABLE .. CHANGE column TABLE ALL  
ALTER TABLE .. RENAME TABLE ALL  
ALTER TABLE .. SET TBLPROPERTIES TABLE ALL  
ALTER TABLE .. SET FILEFORMAT TABLE ALL  
ALTER TABLE .. SET LOCATION TABLE ALL URI
ALTER TABLE .. ADD PARTITION TABLE ALL  
ALTER TABLE .. ADD PARTITION location TABLE ALL URI
ALTER TABLE .. DROP PARTITION TABLE ALL  
ALTER TABLE .. PARTITION SET FILEFORMAT TABLE ALL  
SHOW CREATE TABLE TABLE SELECT  
SHOW PARTITIONS TABLE SELECT/INSERT  
SHOW TABLES

-Output includes all the tables for which the user has table-level privileges and all the tables for which the user has some column-level privileges.

 TABLE SELECT/INSERT  
SHOW GRANT ROLE

-Output includes an additional field for any column-level privileges.

 TABLE SELECT/INSERT  
DESCRIBE TABLE

-Output shows all columns if the user has table level-privileges or SELECT privilege on at least one table column

 TABLE SELECT/INSERT  
LOAD DATA TABLE INSERT URI
SELECT

-You can grant the SELECT privilege on a view to give users access to specific columns of a table they do not otherwise have access to.

-See Column-level Authorization for details on allowed column-level operations.

 VIEW/TABLE; COLUMN SELECT  
INSERT OVERWRITE TABLE TABLE INSERT  
CREATE TABLE .. AS SELECT

-This operation is allowed if you have column-level SELECT access to the columns being used.

 DATABASE; SELECT on TABLE ALL  
USE <dbName> Any    
CREATE FUNCTION SERVER ALL  
ALTER TABLE .. SET SERDEPROPERTIES TABLE ALL  
ALTER TABLE .. PARTITION SET SERDEPROPERTIES TABLE ALL  

Privilege table for Hive-only operations

Operation Scope Privileges Required URI
INSERT OVERWRITE DIRECTORY TABLE INSERT URI
Analyze TABLE TABLE SELECT + INSERT  
IMPORT TABLE DATABASE ALL URI
EXPORT TABLE TABLE SELECT URI
ALTER TABLE TOUCH TABLE ALL  
ALTER TABLE TOUCH PARTITION TABLE ALL  
ALTER TABLE .. CLUSTERED BY SORTED BY TABLE ALL  
ALTER TABLE .. ENABLE/DISABLE TABLE ALL  
ALTER TABLE .. PARTITION.. RENAME TO PARTITION TABLE ALL  
MSCK REPAIR TABLE TABLE ALL  
ALTER DATABASE DATABASE ALL  
DESCRIBE DATABASE DATABASE SELECT/INSERT  
SHOW COLUMNS

-Output for this operation filters columns to which the user does not have explicit SELECT access

 TABLE SELECT/INSERT  
CREATE INDEX TABLE ALL  
DROP INDEX TABLE ALL  
SHOW INDEXES TABLE SELECT/INSERT  
GRANT PRIVILEGE Allowed only for Sentry admin users    
REVOKE PRIVILEGE Allowed only for Sentry admin users    
SHOW GRANT Allowed only for Sentry admin users    
SHOW TBLPROPERTIES

This statement is only supported in Hive.

 TABLE SELECT/INSERT  
DESCRIBE TABLE .. PARTITION TABLE SELECT/INSERT  
ADD ARCHIVE[S] Not Allowed    
ADD FILE[S] Not Allowed    
ADD JAR[S] Not Allowed    
DELETE JAR[S] Not Allowed    
DFS Not Allowed    
LIST JAR[S] Not Allowed    
SHOW CREATE VIEW VIEW SELECT  

Privilege table for Impala-only operations

Operation Scope Privileges Required URI
EXPLAIN INSERT TABLE; COLUMN INSERT  
EXPLAIN SELECT TABLE; COLUMN SELECT  
INVALIDATE METADATA SERVER ALL  
INVALIDATE METADATA <table name> TABLE SELECT/INSERT  
REFRESH <table name> or REFRESH <table name> PARTITION (<partition_spec>) TABLE SELECT/INSERT  
DROP FUNCTION SERVER ALL  
COMPUTE STATS TABLE ALL  
SHOW CREATE VIEW VIEW / TABLE(S) SELECT  
Page generated July 25, 2018.