Shulou(Shulou.com)06/03 Report--

Sentry permission control is configured by entering Grant and Revoke statements through Beeline (Hiveserver2 SQL command line interface). The syntax is similar to some of today's mainstream relational databases. It is important to note that when the sentry service is enabled, we must use the beeline interface to execute the hive query, and Hive Cli does not support sentry.

CREATE ROLE Statement

The CREATE ROLE statement creates a role that can be delegated. Permissions can be assigned to roles and then assigned to individual users. A user can perform the permissions of a role after it is assigned to that role.

Only the administrator role can create/drop the role. By default, hive, impala, and hue users have the administrator role.

CREATE ROLE [role_name]; DROP ROLE Statement

The DROP ROLE statement can be used to remove a role from the database. Once removed, the role previously assigned to all users will be cancelled. Statements that have been executed before are not affected. However, because hive checks the user's permissions before executing each query, user sessions that are active in login are affected.

DROP ROLE [role_name]; GRANT ROLE Statement

The GRANT ROLE statement can be used to grant roles to a group. Only the administrator user of sentry can perform this operation.

GRANT ROLE role_name [, role_name] TO GROUP (groupName) [, GROUP (groupName)] REVOKE ROLE Statement

The REVOKE ROLE statement can be used to remove roles from a group. Only the administrator user of sentry can perform this operation.

REVOKE ROLE role_name [, role_name] FROM GROUP (groupName) [, GROUP (groupName)] GRANT (PRIVILEGE) Statement

Grant permissions to an object to a role that must be an administrator user of sentry.

GRANT (PRIVILEGE) [, (PRIVILEGE)] ON (OBJECT) (object_name) TO ROLE (roleName) [, ROLE (roleName)] REVOKE (PRIVILEGE) Statement

Because only authenticated administrator users can create roles, only administrator users can revoke the permissions of a group.

REVOKE (PRIVILEGE) [, (PRIVILEGE)] ON (OBJECT) (object_name) FROM ROLE (roleName) [, ROLE (roleName)] GRANT (PRIVILEGE). WITH GRANT OPTION

In cdh6.2, you can delegate to other roles to grant and revoke permissions. For example, a role that is granted WITH GRANT OPTION permissions can GRANT/REVOKE the same permissions to other roles. Therefore, if a role has all the permissions of a library and WITH GRANT OPTION is set, users assigned by that role can execute GRANT/REVOKE statements against the database and the tables in it.

GRANT (PRIVILEGE) ON (OBJECT) (object_name) TO ROLE (roleName) WITH GRANT OPTION

Only a role with a special permission with the GRANT option or its parent permission can remove this permission from another role. Once the following statement is executed, all grant permissions associated with it will be revoked.

REVOKE (RIVILEGE) ON (BJECT) (bject_name) FROM ROLE (roleName)

Hive currently does not support removing the permissions previously granted to a role WITH GRANT OPTION. To remove WITH GRANT OPTION and remove permissions, you can re-remove the WITH GRANT OPTION flag to attach rights again.

SET ROLE Statement

The SET ROLE statement can select a role for the current session to take effect. A user can only enable the roles assigned to him. Any roles that do not exist and roles that cannot be used by the current user cannot take effect. If no role is used, the user will use the permissions of any role that belongs to him.

Select a role to use:

To enable a specific role:

Use all roles:

To enable a specific role:

Turn off all roles

SET ROLE NONE;SHOW Statement

Displays the database in which the current user has permissions related to libraries, tables, and columns:

SHOW DATABASES

Displays the table in which the current user has permissions related to tables and columns

SHOW TABLES

Displays the columns for which the current user has SELECT permissions:

SHOW COLUMNS (FROM | IN) table_name [(FROM | IN) db_name]

Displays all roles in the current system (only administrator users can perform):

SHOW ROLES

Displays the roles that currently affect the current session:

SHOW CURRENT ROLES

Displays all roles assigned to the specified group (only administrator users and users within the specified group can perform)

SHOW ROLE GRANT GROUP (groupName)

The SHOW statement can be used to display the permissions granted by a role or to display all permissions for a specific object of the role.

Displays all granted permissions for the specified role. (only administrator users and users assigned to the specified role can perform). The following statement also shows any column-level permissions.

SHOW GRANT ROLE (roleName)

Displays all granted permissions for a role of the specified object (only administrator users and users assigned to the specified role can perform). The following statement also shows any column-level permissions.

SHOW GRANT ROLE (roleName) on (OBJECT) (objectName)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.