Authorization Privilege Model for Hive and Impala
The tables below describe the privileges that you can use with Hive and Impala, only Hive, and only Impala. For information about the Sentry privilege model, see Privilege Model.
Privileges can be granted on different objects in the Hive warehouse. Any privilege that can be granted is associated with a level in the object hierarchy. If a privilege is granted on a container object in the hierarchy, the base object automatically inherits it. For instance, if a user has ALL privileges on the database scope, then that user has ALL privileges on all of the base objects contained within that scope.
Object Hierarchy
Server
URI
Database
Table
Partition
Columns
View
| Privilege | Object |
|---|---|
| INSERT | SERVER, DB, TABLE |
| SELECT | SERVER, DB, TABLE, VIEW, COLUMN |
| ALL | SERVER, TABLE, DB, URI |
Note that when you grant ALL on a URI, those permissions extend into the subdirectories in that path. For example, if a role has ALL on the following URI:
- hdfs://host:port/directory_A/directory_B
- hdfs://host:port/directory_A/directory_B/directory_C
- hdfs://host:port/directory_A/directory_B/directory_C/directory_D
- hdfs://host:port/directory_A/directory_B/directory_E
| Base Object | Granular privileges on object | Container object that contains the base object | Privileges on container object that implies privileges on the base object |
|---|---|---|---|
| DATABASE | ALL | SERVER | ALL |
| TABLE | INSERT | DATABASE | ALL |
| TABLE | SELECT | DATABASE | ALL |
| COLUMN | SELECT | DATABASE | ALL |
| VIEW | SELECT | DATABASE | ALL |
Privilege Tables for Hive and Impala
The following three tables list the privileges that are required to perform operations for Hive, Impala, and operations that apply to both Hive and Impala. All possible privileges are listed for each operation. For example, to perform the ALTER DATABASE command in Hive, the user can have the ALL privilege on the SERVER or the DATABASE.
| Operation | Required Privileges | Scope |
|---|---|---|
| ALTER DATABASE | ALL | SERVER, DATABASE |
| ALTER TABLE .. CLUSTERED BY.. SORTED BY | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. ENABLE / DISABLE | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. PARTITION ENABLE / DISABLE | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. PARTITION.. RENAME TO PARTITION | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE TOUCH | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE TOUCH PARTITION | ALL | SERVER, DATABASE, TABLE |
| ANALYZE TABLE | ALL | SERVER, DATABASE, TABLE |
| SELECT | TABLE | |
| INSERT | TABLE | |
| CREATE INDEX | ALL | SERVER, DATABASE, TABLE |
| CREATE | SERVER, DATABASE, TABLE | |
| ANALYZE TABLE | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE, COLUMN | |
| INSERT | SERVER, DATABASE, TABLE | |
| REFRESH | SERVER, DATABASE, TABLE | |
| DESCRIBE TABLE .. PARTITION | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE | |
| INSERT | SERVER, DATABASE, TABLE | |
| DROP INDEX | ALL | SERVER, DATABASE, TABLE |
| EXPORT TABLE | ALL | SERVER, DATABASE, TABLE |
| GRANT PRIVILEGE | Allowed only for Sentry admin users | |
| IMPORT TABLE | ALL | SERVER, DATABASE |
| INSERT OVERWRITE DIRECTORY | ALL | SERVER, DATABASE, TABLE |
| INSERT | TABLE | |
| MSCK REPAIR TABLE | ALL | SERVER, DATABASE, TABLE |
| REVOKE PRIVILEGE | Allowed only for Sentry admin users | |
| SHOW COLUMNS
The output for this operation filters columns that the user does not have explicit SELECT access to. |
ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE | |
| INSERT | SERVER, DATABASE, TABLE | |
| SHOW INDEXES | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE | |
| INSERT | SERVER, DATABASE, TABLE | |
| CREATE | SERVER | |
| SHOW TABLE PROPERTIES | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE | |
| INSERT | SERVER, DATABASE, TABLE |
| Operation | Required Privileges | Scope |
|---|---|---|
| COMPUTE INCREMENTAL STATS | ALL | SERVER, DATABASE, TABLE |
| COMPUTE STATS | ALL | SERVER, DATABASE, TABLE |
| DESCRIBE TABLE | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE, COLUMN | |
| INSERT | SERVER, DATABASE, TABLE | |
| REFRESH | SERVER, DATABASE, TABLE | |
| CREATE | SERVER, DATABASE | |
| EXPLAIN INSERT | ALL | SERVER, DATABASE, TABLE |
| INSERT | DATABASE, TABLE | |
| EXPLAIN SELECT | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE, COLUMN | |
| INVALIDATE METADATA | ALL | SERVER |
| REFRESH | SERVER | |
| INVALIDATE METADATA <table name> | ALL | SERVER, DATABASE, TABLE |
| REFRESH | SERVER, DATABASE, TABLE | |
| REFRESH <table name> or REFRESH <table name> PARTITION (<partition_spec>) | ALL | SERVER, DATABASE, TABLE |
| REFRESH | SERVER, DATABASE, TABLE | |
| SHOW COLUMN STATS | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE | |
| INSERT | SERVER, DATABASE, TABLE | |
| REFRESH | SERVER, DATABASE, TABLE |
| Operation | Required Privileges | Scope |
|---|---|---|
| ALTER TABLE .. ADD COLUMNS | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. ADD PARTITION | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. ADD PARTITION or ALTER TABLE .. ADD PARTITION LOCATION | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. CHANGE COLUMN | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. DROP COLUMN | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. DROP PARTITION | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. SET FILEFORMAT | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. PARTITION SET SERDEPROPERTIES | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. RENAME | ALL | SERVER, DATABASE |
| ALTER TABLE .. REPLACE COLUMNS | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. SET FILE FORMAT | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. SET LOCATION | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. SET SERDEPROPERTIES | ALL | SERVER, DATABASE, TABLE |
| ALTER TABLE .. SET TBLPROPERTIES | ALL | SERVER, DATABASE, TABLE |
| ALTER VIEW
This operation is allowed if you have column-level SELECT access to the columns being used. |
ALL | SERVER, DATABASE, VIEW |
| ALTER VIEW .. RENAME | ALL | SERVER, DATABASE, VIEW |
| CREATE DATABASE | ALL | SERVER |
| CREATE | SERVER | |
| CREATE FUNCTION | ALL | SERVER, DATABASE |
| CREATE | SERVER, DATABASE | |
| CREATE TABLE | ALL | SERVER, DATABASE |
| CREATE | SERVER, DATABASE | |
| CREATE TABLE .. AS SELECT
This operation is allowed if you have column-level SELECT access to the columns being used. |
ALL | SERVER, DATABASE |
| CREATE VIEW
This operation is allowed if you have column-level SELECT access to the columns being used. |
ALL | SERVER, DATABASE |
| DESCRIBE DATABASE | ALL | SERVER, DATABASE |
| SELECT | SERVER, DATABASE | |
| INSERT | SERVER, DATABASE | |
| REFRESH | SERVER, DATABASE | |
| DROP DATABASE | ALL | SERVER, DATABASE |
| DROP FUNCTION | ALL | SERVER, DATABASE |
| DROP TABLE | ALL | SERVER, DATABASE,TABLE |
| DROP VIEW | ALL | SERVER, DATABASE, VIEW |
| INSERT | ALL | SERVER, DATABASE, TABLE |
| INSERT | SERVER, DATABASE, TABLE | |
| INSERT OVERWRITE TABLE | ALL | SERVER, DATABASE, TABLE |
| INSERT | SERVER, DATABASE, TABLE | |
| LOAD DATA | ALL | SERVER, DATABASE, TABLE |
| INSERT | SERVER, DATABASE, TABLE | |
| SELECT | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE, COLUMN | |
| SELECT COLUMN | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE, COLUMN | |
| SELECT TABLE | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE | |
| SELECT TABLE .. JOIN | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE | |
| SELECT VIEW
You can grant the SELECT VIEW privilege on a view to give users access to specific columns of a table that they do not otherwise have access to. |
ALL | SERVER, DATABASE, VIEW |
| SELECT | SERVER, DATABASE, VIEW | |
| SHOW CREATE TABLE | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE | |
| INSERT | DATABASE, TABLE | |
| REFRESH | SERVER, DATABASE, TABLE | |
| SHOW GRANT ROLE | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE | |
| INSERT | SERVER, DATABASE, TABLE | |
| SHOW PARTITIONS | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE | |
| INSERT | SERVER, DATABASE, TABLE | |
| REFRESH | SERVER, DATABASE, TABLE | |
| SHOW TABLES
The output includes all the tables the user has table-level or column-level access to. |
ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE, COLUMN, VIEW | |
| INSERT | SERVER, DATABASE, TABLE | |
| CREATE | SERVER, DATABASE | |
| REFRESH | SERVER, DATABASE, TABLE | |
| USE | ALL | SERVER, DATABASE, TABLE |
| SELECT | SERVER, DATABASE, TABLE, COLUMN, VIEW | |
| INSERT | SERVER, DATABASE, TABLE | |
| CREATE | SERVER, DATABASE, TABLE | |
| REFRESH | SERVER, DATABASE, TABLE |