CDH5.8.4-hive的库表权限控制

1.查看hive的角色

hive> show roles;
FAILED: SemanticException The current builtin authorization in Hive is incomplete and disabled.
hive> set hive.security.authorization.task.factory = org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl; 
hive> show roles;
OK
admin
public
test_role

遇到报错如上图设置即可。

2. 打开权限控制开关

hive> set hive.security.authorization.enabled=true;

3.配置默认权限

hive> hive.security.authorization.createtable.owner.grants = ALL   
hive> hive.security.authorization.createtable.role.grants = admin_role:ALL  
hive> hive.security.authorization.createtable.user.grants = user1,user2:select;user3:create

4.修改配置文件hive-site.xml，添加配置

[root@host150 conf]# vim hive-site.xml

	 
	  hive.security.authorization.enabled 
	  true 
	 
	  
	  hive.security.authorization.createtable.owner.grants  
	  ALL 
	 
	  
	  hive.security.authorization.task.factory  
	  org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl 
	

5.创建角色分配给用户

hive> CREATE ROLE xiaodu_role;
hive> GRANT ROLE xiaodu_role TO USER xiaodu;

6.分配权限

6.1基于角色分配权限

GRANT CREATE ON DATABASE smart_test TO group xiaodu_role;  
GRANT SELECT on table test_table to group test_role;  
GRANT DROP on table test_table to group test_role;  
GRANT ALL on table test_table to group test_role;

6.2基于用户分配权限

GRANT CREATE ON DATABASE smart_test TO user xiaodu;  
GRANT SELECT on table test_table to user xiaodu;  
GRANT DROP on table test_table to user xiaodu;  
GRANT ALL on table test_table to user xiaodu; 

6.3分配创建数据库的权限

GRANT CREATE  TO user root;  

6.4查看权限分配

SHOW GRANT user xiaodu ON DATABASE smart_test;     
SHOW GRANT user xiaodu ON TABLE ed3_prd_inst_inject_label_ext0; 
SHOW GRANT group xiaodu_role ON DATABASE smart_test;
SHOW GRANT group xiaodu_role ON TABLE ed3_prd_inst_inject_label_ext0;

6.5删除权限

revoke all on database smart_test from user xiaodu; 

7.hive支持权限

ALL:所有权限
ALTER:允许修改元数据（modify metadata data of object）---表信息数据
UPDATE:允许修改物理数据（modify physical data of object）---实际数据
CREATE:允许进行Create操作
DROP:允许进行DROP操作
INDEX:允许建索引（目前还没有实现）
LOCK:当出现并发的使用允许用户进行LOCK和UNLOCK操作
SELECT:允许用户进行SELECT操作
SHOW_DATABASE:允许用户查看可用的数据库

8.登录hive元数据库，查看权限表

Db_privs:记录了User/Role在DB上的权限
Tbl_privs:记录了User/Role在table上的权限
Tbl_col_privs：记录了User/Role在table column上的权限
Roles：记录了所有创建的role
Role_map：记录了User与Role的对应关系