[备忘]Hive权限授权命令

官方文档:https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization Hive支持的权限有Users,Groups,Roles 一个角色可以包含组或者用户 By default, the Metastore uses the HadoopDefaultAuthenticator for determing user -> group mappings metastore默认会以metastore所在的机器根据用户名获取用户所属的组,而不是客户端的组。  

创建角色

CREATE ROLE role_name
DROP ROLE role_name

角色分配

GRANT ROLE role_name [, role_name] ...
TO principal_specification [, principal_specification] ...

REVOKE ROLE role_name [, role_name] ...
FROM principal_specification [, principal_specification] ...

principal_specification
  : USER user
  ¦ GROUP group
  ¦ ROLE role

-- 查看权限
SHOW ROLE GRANT principal_specification

-- 例子:
CREATE ROLE youxi_role;
GRANT ROLE youxi_role TO USER fatkun;

权限

Hive的权限支持全局权限(Global)、数据库、表、分区、列。 priv_type

权限名称含义
ALL所有权限
ALTER允许修改元数据(modify metadata data of object)—表信息数据
UPDATE允许修改物理数据(modify physical data of object)—实际数据
CREATE允许进行Create操作
DROP允许进行DROP操作
INDEX允许建索引(目前还没有实现)
LOCK当出现并发的使用允许用户进行LOCK和UNLOCK操作
SELECT允许用户进行SELECT操作
SHOW_DATABASE允许用户查看可用的数据库
 
GRANT
    priv_type [(column_list)]
      [, priv_type [(column_list)]] ...
    [ON object_type]
    TO principal_specification [, principal_specification] ...
    [WITH GRANT OPTION]

REVOKE priv_type [(column_list)] [, priv_type [(column_list)]] ... [ON object_type priv_level] FROM principal_specification [, principal_specification] ...

REVOKE ALL PRIVILEGES, GRANT OPTION FROM user [, user] ...

object_type: TABLE ¦ DATABASE

priv_level: db_name ¦ tbl_name

例子: GRANT ALL ON DATABASE default TO USER fatkun; GRANT ALL ON TABLE test TO GROUP kpi; REVOKE ALL ON TABLE test FROM GROUP kpi; GRANT ALL TO USER fatkun; REVOKE ALL FROM fatkun;

授权还是挺麻烦的。。你在哪一级别授权,只能在那个级别收回授权。

查看权限

SHOW GRANT principal_specification
[ON object_type priv_level [(column_list)]]

例子:
SHOW GRANT GROUP kpi ON TABLE test;

 

updatedupdated2024-11-302024-11-30