官方文档:https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization Hive支持的权限有Users,Groups,Roles 一个角色可以包含组或者用户 By default, the Metastore uses the HadoopDefaultAuthenticator for determing user -> group mappings metastore默认会以metastore所在的机器根据用户名获取用户所属的组,而不是客户端的组。
创建角色
CREATE ROLE role_name
DROP ROLE role_name
角色分配
GRANT ROLE role_name [, role_name] ...
TO principal_specification [, principal_specification] ...
REVOKE ROLE role_name [, role_name] ...
FROM principal_specification [, principal_specification] ...
principal_specification
: USER user
¦ GROUP group
¦ ROLE role
-- 查看权限
SHOW ROLE GRANT principal_specification
-- 例子:
CREATE ROLE youxi_role;
GRANT ROLE youxi_role TO USER fatkun;
权限
Hive的权限支持全局权限(Global)、数据库、表、分区、列。 priv_type
| 权限名称 | 含义 |
|---|---|
| ALL | 所有权限 |
| ALTER | 允许修改元数据(modify metadata data of object)—表信息数据 |
| UPDATE | 允许修改物理数据(modify physical data of object)—实际数据 |
| CREATE | 允许进行Create操作 |
| DROP | 允许进行DROP操作 |
| INDEX | 允许建索引(目前还没有实现) |
| LOCK | 当出现并发的使用允许用户进行LOCK和UNLOCK操作 |
| SELECT | 允许用户进行SELECT操作 |
| SHOW_DATABASE | 允许用户查看可用的数据库 |
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_type]
TO principal_specification [, principal_specification] ...
[WITH GRANT OPTION]
REVOKE
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_type priv_level]
FROM principal_specification [, principal_specification] ...
REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user [, user] ...
object_type:
TABLE
¦ DATABASE
priv_level:
db_name
¦ tbl_name
例子:
GRANT ALL ON DATABASE default TO USER fatkun;
GRANT ALL ON TABLE test TO GROUP kpi;
REVOKE ALL ON TABLE test FROM GROUP kpi;
GRANT ALL TO USER fatkun;
REVOKE ALL FROM fatkun;
授权还是挺麻烦的。。你在哪一级别授权,只能在那个级别收回授权。
查看权限
SHOW GRANT principal_specification
[ON object_type priv_level [(column_list)]]
例子:
SHOW GRANT GROUP kpi ON TABLE test;