Authorization Privilege Model for Hive and Impala

The tables below describe the privileges that you can use with Hive and Impala, only Hive, and only Impala. For information about the Sentry privilege model, see Privilege Model.

Privileges can be granted on different objects in the Hive warehouse. Any privilege that can be granted is associated with a level in the object hierarchy. If a privilege is granted on a container object in the hierarchy, the base object automatically inherits it. For instance, if a user has ALL privileges on the database scope, then that user has ALL privileges on all of the base objects contained within that scope.

Object Hierarchy

Server
     URI
     Database
         Table
             Partition
             Columns
         View
Valid privilege types and objects they apply to
Privilege Object
INSERT SERVER, DB, TABLE
SELECT SERVER, DB, TABLE, VIEW, COLUMN
ALL SERVER, TABLE, DB, URI
Note that when you grant ALL on a URI, those permissions extend into the subdirectories in that path. For example, if a role has ALL on the following URI:
  • hdfs://host:port/directory_A/directory_B
That role will also have ALL on these directories:
  • hdfs://host:port/directory_A/directory_B/directory_C
  • hdfs://host:port/directory_A/directory_B/directory_C/directory_D
  • hdfs://host:port/directory_A/directory_B/directory_E
URI permissions do not affect HDFS ACL's.
Privilege hierarchy
Base Object Granular privileges on object Container object that contains the base object Privileges on container object that implies privileges on the base object
DATABASE ALL SERVER ALL
TABLE INSERT DATABASE ALL
TABLE SELECT DATABASE ALL
COLUMN SELECT DATABASE ALL
VIEW SELECT DATABASE ALL

Privilege Tables for Hive and Impala

The following three tables list the privileges that are required to perform operations for Hive, Impala, and operations that apply to both Hive and Impala. All possible privileges are listed for each operation. For example, to perform the ALTER DATABASE command in Hive, the user can have the ALL privilege on the SERVER or the DATABASE.

Privilege table for Hive-only operations
Operation Required Privileges Scope
ALTER DATABASE ALL SERVER, DATABASE
ALTER TABLE .. CLUSTERED BY.. SORTED BY ALL SERVER, DATABASE, TABLE
ALTER TABLE .. ENABLE / DISABLE ALL SERVER, DATABASE, TABLE
ALTER TABLE .. PARTITION ENABLE / DISABLE ALL SERVER, DATABASE, TABLE
ALTER TABLE .. PARTITION.. RENAME TO PARTITION ALL SERVER, DATABASE, TABLE
ALTER TABLE TOUCH ALL SERVER, DATABASE, TABLE
ALTER TABLE TOUCH PARTITION ALL SERVER, DATABASE, TABLE
ANALYZE TABLE ALL SERVER, DATABASE, TABLE
SELECT TABLE
INSERT TABLE
CREATE INDEX ALL SERVER, DATABASE, TABLE
CREATE SERVER, DATABASE, TABLE
ANALYZE TABLE ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE, COLUMN
INSERT SERVER, DATABASE, TABLE
REFRESH SERVER, DATABASE, TABLE
DESCRIBE TABLE .. PARTITION ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE
INSERT SERVER, DATABASE, TABLE
DROP INDEX ALL SERVER, DATABASE, TABLE
EXPORT TABLE ALL SERVER, DATABASE, TABLE
GRANT PRIVILEGE Allowed only for Sentry admin users  
IMPORT TABLE ALL SERVER, DATABASE
INSERT OVERWRITE DIRECTORY ALL SERVER, DATABASE, TABLE
INSERT TABLE
MSCK REPAIR TABLE ALL SERVER, DATABASE, TABLE
REVOKE PRIVILEGE Allowed only for Sentry admin users  
SHOW COLUMNS

The output for this operation filters columns that the user does not have explicit SELECT access to.

ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE
INSERT SERVER, DATABASE, TABLE
SHOW INDEXES ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE
INSERT SERVER, DATABASE, TABLE
CREATE SERVER
SHOW TABLE PROPERTIES ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE
INSERT SERVER, DATABASE, TABLE
Privilege table for Impala-only operations
Operation Required Privileges Scope
COMPUTE INCREMENTAL STATS ALL SERVER, DATABASE, TABLE
COMPUTE STATS ALL SERVER, DATABASE, TABLE
DESCRIBE TABLE ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE, COLUMN
INSERT SERVER, DATABASE, TABLE
REFRESH SERVER, DATABASE, TABLE
CREATE SERVER, DATABASE
EXPLAIN INSERT ALL SERVER, DATABASE, TABLE
INSERT DATABASE, TABLE
EXPLAIN SELECT ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE, COLUMN
INVALIDATE METADATA ALL SERVER
REFRESH SERVER
INVALIDATE METADATA <table name> ALL SERVER, DATABASE, TABLE
REFRESH SERVER, DATABASE, TABLE
REFRESH <table name> or REFRESH <table name> PARTITION (<partition_spec>) ALL SERVER, DATABASE, TABLE
REFRESH SERVER, DATABASE, TABLE
SHOW COLUMN STATS ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE
INSERT SERVER, DATABASE, TABLE
REFRESH SERVER, DATABASE, TABLE
Privilege table for Hive & Impala operations
Operation Required Privileges Scope
ALTER TABLE .. ADD COLUMNS ALL SERVER, DATABASE, TABLE
ALTER TABLE .. ADD PARTITION ALL SERVER, DATABASE, TABLE
ALTER TABLE .. ADD PARTITION or ALTER TABLE .. ADD PARTITION LOCATION ALL SERVER, DATABASE, TABLE
ALTER TABLE .. CHANGE COLUMN ALL SERVER, DATABASE, TABLE
ALTER TABLE .. DROP COLUMN ALL SERVER, DATABASE, TABLE
ALTER TABLE .. DROP PARTITION ALL SERVER, DATABASE, TABLE
ALTER TABLE .. SET FILEFORMAT ALL SERVER, DATABASE, TABLE
ALTER TABLE .. PARTITION SET SERDEPROPERTIES ALL SERVER, DATABASE, TABLE
ALTER TABLE .. RENAME ALL SERVER, DATABASE
ALTER TABLE .. REPLACE COLUMNS ALL SERVER, DATABASE, TABLE
ALTER TABLE .. SET FILE FORMAT ALL SERVER, DATABASE, TABLE
ALTER TABLE .. SET LOCATION ALL SERVER, DATABASE, TABLE
ALTER TABLE .. SET SERDEPROPERTIES ALL SERVER, DATABASE, TABLE
ALTER TABLE .. SET TBLPROPERTIES ALL SERVER, DATABASE, TABLE
ALTER VIEW

This operation is allowed if you have column-level SELECT access to the columns being used.

ALL SERVER, DATABASE, VIEW
ALTER VIEW .. RENAME ALL SERVER, DATABASE, VIEW
CREATE DATABASE ALL SERVER
CREATE SERVER
CREATE FUNCTION ALL SERVER, DATABASE
CREATE SERVER, DATABASE
CREATE TABLE ALL SERVER, DATABASE
CREATE SERVER, DATABASE
CREATE TABLE .. AS SELECT

This operation is allowed if you have column-level SELECT access to the columns being used.

ALL SERVER, DATABASE
CREATE VIEW

This operation is allowed if you have column-level SELECT access to the columns being used.

ALL SERVER, DATABASE
DESCRIBE DATABASE ALL SERVER, DATABASE
SELECT SERVER, DATABASE
INSERT SERVER, DATABASE
REFRESH SERVER, DATABASE
DROP DATABASE ALL SERVER, DATABASE
DROP FUNCTION ALL SERVER, DATABASE
DROP TABLE ALL SERVER, DATABASE,TABLE
DROP VIEW ALL SERVER, DATABASE, VIEW
INSERT ALL SERVER, DATABASE, TABLE
INSERT SERVER, DATABASE, TABLE
INSERT OVERWRITE TABLE ALL SERVER, DATABASE, TABLE
INSERT SERVER, DATABASE, TABLE
LOAD DATA ALL SERVER, DATABASE, TABLE
INSERT SERVER, DATABASE, TABLE
SELECT ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE, COLUMN
SELECT COLUMN ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE, COLUMN
SELECT TABLE ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE
SELECT TABLE .. JOIN ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE
SELECT VIEW

You can grant the SELECT VIEW privilege on a view to give users access to specific columns of a table that they do not otherwise have access to.

ALL SERVER, DATABASE, VIEW
SELECT SERVER, DATABASE, VIEW
SHOW CREATE TABLE ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE
INSERT DATABASE, TABLE
REFRESH SERVER, DATABASE, TABLE
SHOW GRANT ROLE ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE
INSERT SERVER, DATABASE, TABLE
SHOW PARTITIONS ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE
INSERT SERVER, DATABASE, TABLE
REFRESH SERVER, DATABASE, TABLE
SHOW TABLES

The output includes all the tables the user has table-level or column-level access to.

ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE, COLUMN, VIEW
INSERT SERVER, DATABASE, TABLE
CREATE SERVER, DATABASE
REFRESH SERVER, DATABASE, TABLE
USE ALL SERVER, DATABASE, TABLE
SELECT SERVER, DATABASE, TABLE, COLUMN, VIEW
INSERT SERVER, DATABASE, TABLE
CREATE SERVER, DATABASE, TABLE
REFRESH SERVER, DATABASE, TABLE