1 角色管理命令
1.1 创建角色
创建一个新角色,需要 admin 用户执行
CREATE ROLE role_name;
1.2 删除角色
删除一个角色,需要 admin 用户执行
DROP ROLE role_name;
1.3 显示当前角色
显示用户当前角色列表
SHOW CURRENT ROLES;
1.4 设定角色
如果指定了role_name,则该角色将成为当前角色中的唯一角色
将Role_Name设置为All将刷新当前角色的列表(在新角色被授予用户的情况下),并将其设置为默认的角色列表。
将Role_Name设置为None将从当前用户中删除所有当前角色。
SET ROLE (role_name|ALL|NONE);
1.5 显示角色
列出所有当前存在的角色。
只有admin角色对此有特权。
SHOW ROLES;
1.6 赋权/撤销语法
第一种
将一个或多个角色授予其他角色或用户。
如果指定了“WITH ADMIN OPTION”,则用户将获得将该角色授予其他用户/角色的权限。
如果授予语句最终在角色之间创建循环关系,则该命令将失败并出现错误。
GRANT role_name [, role_name] ...
TO principal_specification [, principal_specification] ...
[ WITH ADMIN OPTION ];
principal_specification
: USER user
| ROLE role
从FROM子句中的用户/角色中撤消角色的成员权限。
REVOKE [ADMIN OPTION FOR] role_name [, role_name] ...
FROM principal_specification [, principal_specification] ... ;
principal_specification
: USER user
| ROLE role
第二种
GRANT ROLE role_name [, role_name] ...
TO principal_specification [, principal_specification] ...
[WITH ADMIN OPTION]
REVOKE [ADMIN OPTION FOR] ROLE role_name [, role_name] ...
FROM principal_specification [, principal_specification] ...
principal_specification:
USER user
| GROUP group
| ROLE role
1.7 显示角色授予
principal_name是用户或角色的名称。
列出已授予给定用户或角色的所有角色。
SHOW ROLE GRANT (USER|ROLE|GROUP ) principal_name;
示例:
0: jdbc:hive2://localhost:10000> SHOW ROLE GRANT USER user1;
+---------+---------------+----------------+----------+
| role | grant_option | grant_time | grantor |
+---------+---------------+----------------+----------+
| public | false | 0 | |
| role1 | false | 1398284083000 | uadmin |
+---------+---------------+----------------+----------+
1.8 列出所有角色和属于该角色的用户
仅admin角色对此具有特权。
SHOW PRINCIPALS role_name;
示例:
0: jdbc:hive2://localhost:10000> SHOW PRINCIPALS role1;
+-----------------+-----------------+---------------+----------+---------------+----------------+
| principal_name | principal_type | grant_option | grantor | grantor_type | grant_time |
+-----------------+-----------------+---------------+----------+---------------+----------------+
| role2 | ROLE | false | uadmin | USER | 1398285926000 |
| role3 | ROLE | true | uadmin | USER | 1398285946000 |
| user1 | USER | false | uadmin | USER | 1398285977000 |
+-----------------+-----------------+---------------+----------+---------------+----------------+
2 权限管理
2.1 赋权和移除权限
对表或视图赋权/撤销授权
GRANT
priv_type [, priv_type ] ...
ON table_or_view_name
TO principal_specification [, principal_specification] ...
[WITH GRANT OPTION];
REVOKE [GRANT OPTION FOR]
priv_type [, priv_type ] ...
ON table_or_view_name
FROM principal_specification [, principal_specification] ... ;
principal_specification
: USER user
| ROLE role
priv_type
: INSERT | SELECT | UPDATE | DELETE | ALL
对列赋权/撤销授权
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_specification]
TO principal_specification [, principal_specification] ...
[WITH GRANT OPTION]
REVOKE [GRANT OPTION FOR]
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_specification]
FROM principal_specification [, principal_specification] ...
REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user [, user] ...
priv_type:
ALL | ALTER | UPDATE | CREATE | DROP
| INDEX | LOCK | SELECT | SHOW_DATABASE
object_specification:
TABLE tbl_name
| DATABASE db_name
principal_specification:
USER user
| GROUP group
| ROLE role
如果授予用户对表或视图的WITH GRANT OPTION特权,则该用户还可以赋权/撤消其他用户的特权以及这些对象上的角色。
示例:
0: jdbc:hive2://localhost:10000/default> grant select on table secured_table to role my_role;
No rows affected (0.046 seconds)
0: jdbc:hive2://localhost:10000/default> revoke update, select on table secured_table from role my_role;
No rows affected (0.028 seconds)
2.2 显示权限
SHOW GRANT [principal_specification] ON (ALL | [TABLE] table_or_view_name);
principal_specification
: USER user
| ROLE role
2.3 管理对象权限的示例
2.3.1 创建角色,并将指定数据库所有/只读权限赋给该角色
--创建名为bigdata_admin_role的角色
CREATE ROLE bigdata_admin_role;
--将数据库bigdata_db的所有权限赋给bigdata_admin_role角色
GRANT ALL ON DATABASE bigdata_db TO ROLE bigdata_admin_role;
--将集群路径所有权限赋权给bigdata_admin_role角色
GRANT ALL ON URI 'hdfs://nameservice/user/bigdata' TO bigdata_admin_role;
--将bigdata_admin_role角色的权限给到bigdata_g组
GRANT ROLE bigdata_admin_role TO GROUP bigdata_g;
--至此,bigdata_g 组下的所有用户拥有了操作bigdata_db库的所有权限
--创建名为bigdata_read_role的角色,该角色只有只读权限
CREATE ROLE bigdata_read_role;
--将数据库bigdata_db的select权限赋给bigdata_read_role角色
GRANT SELECT ON DATABASE bigdata_db TO ROLE bigdata_read_role;
--将集群路径所有权限赋权给bigdata_admin_role角色
GRANT ALL ON URI 'hdfs://nameservice/user/bigdata' TO bigdata_read_role;
--将bigdata_admin_role角色的权限给到bigdata_g组
GRANT ROLE bigdata_read_role TO GROUP bigdata_g;
--至此,bigdata_g 组下的所有用户拥有了操作bigdata_db库的读权限
--创建一个用户组hive_g,并给该角色赋权查询bigdata_db.test_tb的权限
CREATE ROLE hive_read_role;
GRANT ROLE hive_read_role TO GROUP hive_g;
GRANT SELECT ON TABLE bigdata_db.test_tb TO ROLE hive_read_role;
找出用户ashutosh对表hivejiratable拥有的特权:
0: jdbc:hive2://localhost:10000> show grant user ashutosh on table hivejiratable;
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas |
| default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
找出用户ashutosh对所有对象具有的特权:
0: jdbc:hive2://localhost:10000> show grant user ashutosh on all;
+-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| default | hivecontributors | | | ashutosh | USER | DELETE | false | 1398303576000 | thejas |
| default | hivecontributors | | | ashutosh | USER | INSERT | false | 1398303576000 | thejas |
| default | hivecontributors | | | ashutosh | USER | SELECT | false | 1398303576000 | thejas |
| default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas |
| default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas |
+-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
找出所有用户对表hivejiratable拥有的特权:
0: jdbc:hive2://localhost:10000> show grant on table hivejiratable;
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas |
| default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas |
| default | hivejiratable | | | navis | USER | INSERT | false | 1398303650000 | thejas |
| default | hivejiratable | | | navis | USER | SELECT | false | 1398303650000 | thejas |
| default | hivejiratable | | | public | ROLE | SELECT | false | 1398303481000 | thejas |
| default | hivejiratable | | | thejas | USER | DELETE | true | 1398303380000 | thejas |
| default | hivejiratable | | | thejas | USER | INSERT | true | 1398303380000 | thejas |
| default | hivejiratable | | | thejas | USER | SELECT | true | 1398303380000 | thejas |
| default | hivejiratable | | | thejas | USER | UPDATE | true | 1398303380000 | thejas |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+