Granting Permissions to Roles

In CDH, the ROLE/GROUP semantics are different from those semantics in CDP. Hive 3 requires a tightly controlled file system and computer memory resources, replacing flexible boundaries that earlier Hive versions allowed.

Definitive boundaries increase predictability. Greater file system control improves security. This model offers stronger security than other security schemes and better policy management.

Before Upgrade to CDP

In CDH, Sentry was recommended for CDH policy management. CDH supported GRANT ON ROLE semantics.

After Upgrade to CDP

The major authorization model in Hive 3 is Ranger, not Sentry. If migrating from CDH, move away from Sentry toward Apache Ranger. GRANT ON ROLE semantics are not supported.

Action Required

Use GRANT semantics supported in CDP, for example, to set up file system permissions:

GRANT <permissions> ON TABLE <table> TO USER <user or group>;
Use the semantics described in Configuring a resource-based policy: Hive.