sentry

HiveSQL Syntax for Use with Sentry

创建和删除角色

1. 创建角色: create role ROLE_NAME
2. 删除角色: droop role ROLE_NAME

 

CREATE ROLE admin_role;创建角色

droop role admin_role;删除角色

 

角色的授权和撤销

角色的授权(GRANT)就是给角色授予创建表、查询表等操作，撤销(REVOKE)反之。语法如下：

1 2

GRANT ROLE role_name [, role_name] TO GROUP [,GROUP ] REVOKE ROLE role_name [, role_name] FROM GROUP [,GROUP ]   GRANT ROLE admin_role TO GROUP `admin`; GRANT ROLE admin_role TO GROUP hive; 并授权给 admin和 hive组（对应操作系统上的组） GRANT ROLE analyst_role TO GROUP `analyst`   REVOKE ROLE admin_role from group hive; 撤销hive的admin_role权限   把role_test1角色授权给test组: grant role role_test1 to group test 查看test组被授权的角色: show role grant group test 取消test组的role_test1角色: revoke role role_test1 from group test

权限的授予和撤销

1 2	GRANT [, ] ON

查看角色/组权限

1 2 3 4 5

SHOW ROLES;                                                                                   查看有多少个role SHOW CURRENT ROLES;                                                             查看当前登录的是用户属于哪个role SHOW ROLE GRANT GROUP ;                 查看group所属的role SHOW GRANT ROLE ;                                      查看role所拥有的权限 SHOW GRANT ROLE on<OBJECT> ;

 

• Grant privileges to analyst_role:

1 2 3 4

CREATEROLE analyst_role; GRANT ALLONDATABASE analyst1TOROLE analyst_role;                                                                     analust_role拥有对数据库analyst1的所有权限 GRANTSELECTONDATABASE jranalyst1TOROLE analyst_role;                                                 analyst_role只拥有对数据库jranalyst1的查询操作权限 GRANT ALLON URI'hdfs://ha-nn-uri/landing/analyst1'TOROLE analyst_role;

• Grant privileges to junior_analyst_role:

1 2 3 4

CREATEROLE junior_analyst_role; GRANT ALLONDATABASE jranalyst1TOROLE junior_analyst_role;                        junior_analust_role拥有对数据库jranalyst1的所有权限 GRANT ALLON URI'hdfs://ha-nn-uri/landing/jranalyst1'TOROLE junior_analyst_role;

• Grant privileges to admin_role:

1 2	CREATEROLE admin_role GRANT ALLONSERVERserver1TOROLE admin_role;                                                                               将服务器server1上的所有权限给admin_role角色  GRANT allonDATABASEtesttorole admin_rolewithgrantoption;

• Grant roles to groups:

1 2 3

GRANTROLE admin_roleTOGROUPadmin;                                                                                                            admin用户组将拥有角色admin_role的权限  GRANTROLE analyst_roleTOGROUP analyst; GRANTROLE jranalyst_roleTOGROUP jranalyst;

 

来自 <http://wzktravel.github.io/2016/02/25/Enabling-sentry-in-CDH/>