Object Ownership

Object ownership designates an owner for a database, table, or view in Sentry. When object ownership is enabled, the OWNER privilege is automatically granted to the user that creates the object. This relieves the database administrator from the task of explicitly assigning permissions to the user.

Overview

Object ownership allows you to assign an owner to a database, table, or view. The owner of an object has a special set of privileges on that object. You can determine what those privileges are with the OWNER Privileges for Sentry Policy Database Objects setting in Cloudera Manager.

In CDH 5.16, object ownership is disabled by default. For instructions on how to enable object ownership, see Setting Object Owner Privileges.

An object can only have one owner at a time. The owner can be an individual user or a role. The OWNER privilege cannot be revoked by a REVOKE command. However, ownership can transfer to another user or role. When ownership is transferred, the original owner loses ownership of the object. For information about transferring ownership of an object, see Assigning and Transferring Ownership.

HMS metadata includes the owner of an object that is created in Hive or Impala. However, unless object ownership is enabled in Sentry, the owner of an object does not have special permissions on the object.

The following table shows the OWNER privilege scope:

Scope Available Operations
Server Not available.
Database

Any action allowed by the ALL privilege on the database and tables within the database except transferring ownership of the database or tables.

WITH GRANT enabled: Allows the user or role to grant and revoke privileges to other roles on the database, tables, and views. The user can also transfer ownership of the database and tables within the database. If ownership is transferred at the database level, ownership of the tables is not transferred; the original owner continues to have the OWNER privilege on the tables.

Table / View

Any action allowed by the ALL privilege on the table except transferring ownership of the table or view.

WITH GRANT enabled: Allows the user or role to transfer ownership of the table or view as well as grant and revoke privileges to other roles on the table or view.

Upgrade Note

When you upgrade from a version of CDH that does not have object ownership to a version of CDH that does have object ownership, you must assign owners to your existing database objects. In previous versions, the default owner of Hive and Impala objects was the hive or Kerberos user. If you enable object ownership, you cannot immediately assign ownership to the same user that owned the object before ownership was enabled. For example, if you want the hive user to have the OWNER privilege, you must enable object ownership, assign ownership to a temporary user (for example, an admin user) and then re-assign ownership to the hive user.

Sentry Object Ownership in HDFS

Object ownership syncs with HDFS. HDFS shows the permissions granted to the owner as if the owner has ALL privileges on the object.

If the object owner is a role, HDFS applies the OWNER privilege to the groups that have that role. If the object owner is a user, HDFS applies the OWNER privilege to the user. Note that although HDFS has owners, the Sentry OWNER privilege is applied to the HDFS user, not the HDFS owner.

Setting Owner Privileges

You can select the privileges that an owner has on an object through Cloudera Manager or in the sentry-site.xml file.

Whether or not object ownership is enabled, Hive and Impala store the creator of an object as the owner. That owner does not have special privileges on the object unless object ownership is enabled in Sentry. If object ownership is disabled, enabling it does not affect objects that already exist. Enabling object ownership only grants the OWNER privilege to objects that are created after object ownership is enabled.

When a user creates an object through Hive or Impala, two things happen:

  1. Hive or Impala sets the owner of the table in HMS to the user that creates the table, regardless of whether object ownership is enabled.
  2. If object ownership is enabled, Sentry automatically grants the OWNER privilege to the user that creates the object. If object ownership is disabled (set to NONE), Sentry does not grant the OWNER privilege.

Disabling object ownership does not affect existing OWNER privileges. However, if ALTER TABLE SET OWNER is run on the object after object ownership is disabled, the object will not have an owner in Sentry. See Revoking Ownership for information about removing the owner of an object.

Note that when you enable object ownership, it is for the entire cluster. Any user that creates an object in any database will have the OWNER privilege. You cannot have different object ownership settings in different databases.

Setting Object Owner Privileges in Cloudera Manager

In Cloudera Manager, navigate to the Sentry service and select the Configuration tab. Enter “owner” in the Search bar and locate the OWNER Privileges for Sentry Policy Database Objects setting.

The following image shows the setting:


The OWNER Privileges for Sentry Policy Database Objects setting has the following options: NONE, ALL privileges with GRANT, and ALL privileges).

You can choose from the following options:

  • NONE - Default. Disables object ownership in Sentry. New OWNER privileges cannot be assigned and a user that creates an object does not get the OWNER privilege. However, existing OWNER privileges are not affected by selecting this option.
  • ALL privileges with GRANT - An object owner has the ALL privilege on the object and can transfer OWNER privileges on the object as well as grant and revoke other privileges on the object. The OWNER privilege is granted to the user that creates the object or with the ALTER DATABASE SET OWNER or ALTER TABLE SET OWNER operation.
  • ALL privileges - An object owner has the ALL privilege on the object, but cannot transfer owner privileges to another user or role. The OWNER privilege is granted to the user that creates the object or with the ALTER DATABASE SET OWNER or ALTER TABLE SET OWNER operation.

For more information about the ALTER DATABASE and ALTER TABLE operations, see Assigning and Transferring Ownership.

Setting Object Owner Privileges in the sentry-site.xml File

To set the privileges that an owner has on an object in the sentry-site.xml file, open the file on the Sentry service host and locate the following property:

Name:  sentry.db.policy.store.owner.as.privilege
Value: { none|all|all_with_grant }
Default: none

You can choose from the following options:

  • none - Default. Disables object ownership in Sentry. New OWNER privileges cannot be assigned and a user that creates an object does not get the OWNER privilege. However, existing OWNER privileges are not affected by selecting this option.
  • all - An object owner has the ALL privilege on the object and can transfer OWNER privileges on the object as well as grant and revoke other privileges on the object. The OWNER privilege is granted to the user that creates the object or with the ALTER DATABASE SET OWNER or ALTER TABLE SET OWNER operation.
  • all_with_grant - An object owner has the ALL privilege on the object, but cannot transfer owner privileges to another user or role. The OWNER privilege is granted to the user that creates the object or with the ALTER DATABASE SET OWNER or ALTER TABLE SET OWNER operation.

For more information about the ALTER DATABASE and ALTER TABLE operations, see Assigning and Transferring Ownership.

Assigning and Transferring Ownership

If an object owner has the ALL privileges with GRANT option, the user can transfer object ownership to another user or role. In addition, Sentry users, such as admin users, that have ALL WITH GRANT on the server can transfer or assign ownership of any object. When ownership is transferred in Sentry, the object owner in HMS is also changed.

An object owner that does not have the ALL privileges with GRANT option cannot transfer ownership of the object.

You can grant the OWNER privilege on a database to a role or a user with the following commands, respectively:

ALTER DATABASE <database name> SET OWNER ROLE <role name>;
ALTER DATABASE <database name> SET OWNER USER <user name>;

You can grant the OWNER privilege on a table to a role or a user with the following commands, respectively:

ALTER TABLE <table name> SET OWNER ROLE <role name>;
ALTER TABLE <table name> SET OWNER USER <user name>;

In Impala, use one of the following commands to grant the OWNER privilege to a view:

ALTER VIEW <view name> SET OWNER ROLE <role name>;
ALTER VIEW <view name> SET OWNER USER <user name>;

In Hive, use these commands to grant the OWNER privilege to a view:

ALTER TABLE <view name> SET OWNER ROLE <role name>;
ALTER TABLE <view name> SET OWNER USER <user name>;

Revoking Ownership

Once the OWNER privilege is granted, it cannot be revoked while object ownership is still enabled. However, ownership can be transferred with the ALTER DATABASE or ALTER TABLE operation.

If you disable object ownership, you can use the ALTER DATABASE or ALTER TABLE operation to remove ownership.

For example, object ownership is enabled and you have a user1 that has the OWNER privilege on table1. You can disable object ownership (set OWNER Privileges for Sentry Policy Database Objects to NONE) and then run the following command:

ALTER TABLE table1 SET OWNER USER user2;

In this case, neither user1 nor user2 will have the OWNER privilege on the table because object ownership is disabled.