Hive SQL Syntax for Use with Sentry
Sentry permissions can be configured through Grant and Revoke statements issued either interactively or programmatically through the HiveServer2 SQL command line interface, Beeline (documentation available here). Note that since Hive CLI does not work with HiveServer2, it cannot be used to configure Sentry permissions.
CREATE ROLE <admin role>; GRANT ALL ON SERVER <server1> TO ROLE <admin_role>; GRANT ROLE <admin role> TO GROUP <hive>;
CREATE ROLE StatementThe CREATE ROLE statement creates a role to which privileges can be granted. Privileges can be granted to roles, which can then be assigned to users. A user that has been assigned a role will only be able to exercise the privileges of that role.
Only users that have administrative privileges can create/drop roles. By default, the hive, impala and hue users have admin privileges in Sentry.
CREATE ROLE [role_name];
DROP ROLE StatementThe DROP ROLE statement can be used to remove a role from the database. Once dropped, the role will be revoked for all users to whom it was previously assigned. Queries that are already executing will not be affected. However, since Hive checks user privileges before executing each query, active user sessions in which the role has already been enabled will be affected.
DROP ROLE [role_name];
GRANT ROLE StatementThe GRANT ROLE statement can be used to grant roles to groups. Only Sentry admin users can grant roles to a group.
GRANT ROLE role_name [, role_name] TO GROUP <groupName> [,GROUP <groupName>]
REVOKE ROLE StatementThe REVOKE ROLE statement can be used to revoke roles from groups. Only Sentry admin users can revoke the role from a group.
REVOKE ROLE role_name [, role_name] FROM GROUP <groupName> [,GROUP <groupName>]
GRANT <PRIVILEGE> StatementIn order to grant privileges on an object to a role, the user must be a Sentry admin user.
GRANT <PRIVILEGE> [, <PRIVILEGE> ] ON <OBJECT> <object_name> TO ROLE <roleName> [,ROLE <roleName>]
REVOKE <PRIVILEGE> StatementSince only authorized admin users can create roles, consequently only Sentry admin users can revoke privileges from a group.
REVOKE <PRIVILEGE> [, <PRIVILEGE> ] ON <OBJECT> <object_name> FROM ROLE <roleName> [,ROLE <roleName>]
GRANT <PRIVILEGE> ... WITH GRANT OPTION
GRANT <PRIVILEGE> ON <OBJECT> <object_name> TO ROLE <roleName> WITH GRANT OPTIONOnly a role with GRANT option on a specific privilege or its parent privilege can revoke that privilege from other roles. Once the following statement is executed, all privileges with and without grant option are revoked.
REVOKE <PRIVILEGE> ON <OBJECT> <object_name> FROM ROLE <roleName>Hive does not currently support revoking only the WITH GRANT OPTION from a privilege previously granted to a role. To remove the WITH GRANT OPTION, revoke the privilege and grant it again without the WITH GRANT OPTION flag.
SET ROLE StatementThe SET ROLE statement can be used to specify a role to be enabled for the current session. A user can only enable a role that has been granted to them. Any roles not listed and not already enabled are disabled for the current session. If no roles are enabled, the user will have the privileges granted by any of the roles that (s)he belongs to.
SET ROLE <roleName>;
SET ROLE ALL;
SET ROLE NONE;
SHOW CURRENT ROLES;
SHOW ROLE GRANT GROUP <groupName>;
The SHOW statement can also be used to list the privileges that have been granted to a role or all the grants given to a role for a particular object.
SHOW GRANT ROLE <roleName>;
SHOW GRANT ROLE <roleName> on OBJECT <objectName>;
Example: Using Grant/Revoke Statements to Match an Existing Policy File
[groups] # Assigns each Hadoop group to its set of roles manager = analyst_role, junior_analyst_role analyst = analyst_role jranalyst = junior_analyst_role customers_admin = customers_admin_role admin = admin_role [roles] # The uris below define a define a landing skid which # the user can use to import or export data from the system. # Since the server runs as the user "hive" files in that directory # must either have the group hive and read/write set or # be world read/write. analyst_role = server=server1->db=analyst1, \ server=server1->db=jranalyst1->table=*->action=select server=server1->uri=hdfs://ha-nn-uri/landing/analyst1 junior_analyst_role = server=server1->db=jranalyst1, \ server=server1->uri=hdfs://ha-nn-uri/landing/jranalyst1 # Implies everything on server1. admin_role = server=server1
The following sections show how you can use the new GRANT statements to assign privileges to roles (and assign roles to groups) to match the sample policy file above.
CREATE ROLE analyst_role; GRANT ALL ON DATABASE analyst1 TO ROLE analyst_role; GRANT SELECT ON DATABASE jranalyst1 TO ROLE analyst_role; GRANT ALL ON URI 'hdfs://ha-nn-uri/landing/analyst1' \ TO ROLE analyst_role;
CREATE ROLE junior_analyst_role; GRANT ALL ON DATABASE jranalyst1 TO ROLE junior_analyst_role; GRANT ALL ON URI 'hdfs://ha-nn-uri/landing/jranalyst1' \ TO ROLE junior_analyst_role;
CREATE ROLE admin_role GRANT ALL ON SERVER server TO ROLE admin_role;
GRANT ROLE admin_role TO GROUP admin; GRANT ROLE analyst_role TO GROUP analyst; GRANT ROLE jranalyst_role TO GROUP jranalyst;