1、Column-level AuthorizationThe following command grants a role theSELECTprivilege on a column:GRANT SELECT(column_name) ON TABLE table_name TO ROLE role_name;The following command can be used to revoke theSELECTprivilege on a column:REVOKE SELECT(column_name) ON TABLE table_name FROM ROLE role_name;A
2、ny new columns added to a table will be inaccessible by default, until explicitly granted access.Actions allowed for users with SELECT privilege on a column:Users whose roles have been granted theSELECTprivilege on columns only, can perform operations which explicitly refer to those columns. Some ex
3、amples are: SELECT column_name FROM TABLE table_name;In this case, Sentry will first check to see if the user has the required privileges to access the table. It will then further check to see whether the user has theSELECTprivilege to access the column(s). SELECT COUNT(column_name) FROM TABLE table
4、_name;Users are also allowed to use theCOUNTfunction to return the number of values in the column. SELECT column_name FROM TABLE table_name WHERE column_name GROUP BY column_name; The above command will work as long as you refer only to columns to which you already have access. To list the column(s)
5、 to which the current user hasSELECTaccess:SHOW COLUMNS;Exceptions: If a user hasSELECTaccess to all columns in a table, the following command will work. Note that this is an exception, not the norm. In all other cases,SELECTon all columns doesnotallow you to perform table-level operations.SELECT *
6、FROM TABLE table_name; TheDESCRIBEtable command differs from the others, in that it does not filter out columns for which the user does not haveSELECTaccess.DESCRIBE (table_name);Limitations: Column-level privileges can only be applied to tables and partitions, not views. HDFS-Sentry Sync:With HDFS-
7、Sentry sync enabled, even if a user has been granted access to all columns of a table, they will not have access to the corresponding HDFS data files. This is because Sentry does not considerSELECTon all columns equivalent to explicitly being grantedSELECTon the table. Column-level access control fo
8、r access from Spark SQL is not supported by the HDFS-Sentry plug-in.CREATE ROLE StatementTheCREATE ROLEstatement creates a role to which privileges can be granted. Privileges can be granted to roles, which can then be assigned to users. A user that has been assigned a role will only be able to exerc
9、ise the privileges of that role.Only users that have administrative privileges can create/drop roles. By default, thehive,impalaandhueusers have admin privileges in Sentry.CREATE ROLE role_name;DROP ROLE StatementTheDROP ROLEstatement can be used to remove a role from the database. Once dropped, the
10、 role will be revoked for all users to whom it was previously assigned. Queries that are already executing will not be affected. However, since Hive checks user privileges before executing each query, active user sessions in which the role has already been enabled will be affected.DROP ROLE role_nam
11、e;GRANT ROLE StatementTheGRANT ROLEstatement can be used to grant roles to groups. Only Sentry admin users can grant roles to a group.GRANT ROLE role_name , role_name TO GROUP ,GROUP REVOKE ROLE StatementTheREVOKE ROLEstatement can be used to revoke roles from groups. Only Sentry admin users can rev
12、oke the role from a group.REVOKE ROLE role_name , role_name FROM GROUP ,GROUP GRANT StatementIn order to grant privileges on an object to a role, the user must be a Sentry admin user.GRANT , ON TO ROLE ,ROLE you can grant theSELECTprivilege on specific columns of a table. For example:GRANT SELECT(co
13、lumn_name) ON TABLE table_name TO ROLE role_name;REVOKE StatementSince only authorized admin users can create roles, consequently only Sentry admin users can revoke privileges from a group.REVOKE , ON FROM ROLE ,ROLE You can also revoke any previously-grantedSELECTprivileges on specific columns of a
14、 table. For example:REVOKE SELECT(column_name) ON TABLE table_name FROM ROLE role_name;GRANT . WITH GRANT OPTIONyou can delegate granting and revoking privileges to other roles. For example, a role that is granted a privilegeWITH GRANT OPTIONcanGRANT/REVOKEthe same privilege to/from other roles. Hen
15、ce, if a role has the ALL privilege on a database and theWITH GRANT OPTIONset, users granted that role can executeGRANT/REVOKEstatements only for that database or child tables of the database.GRANT ON TO ROLE WITH GRANT OPTIONOnly a role withGRANToption on a specific privilege or its parent privileg
16、e can revoke that privilege from other roles. Once the following statement is executed, all privileges with and without grant option are revoked.REVOKE ON FROM ROLE Hive does not currently support revoking only theWITH GRANT OPTIONfrom a privilege previously granted to a role. To remove theWITH GRAN
17、T OPTION, revoke the privilege and grant it again without theWITH GRANT OPTIONflag.SET ROLE StatementTheSET ROLEstatement can be used to specify a role to be enabled for the current session. A user can only enable a role that has been granted to them. Any roles not listed and not already enabled are
18、 disabled for the current session. If no roles are enabled, the user will have the privileges granted by any of the roles that (s)he belongs to. To enable a specific role:SET ROLE ; To enable all roles:SET ROLE ALL; No roles enabled:SET ROLE NONE;SHOW Statement To list the database(s) for which the
19、current user has database, table, or column-level access:SHOW DATABASES; To list the table(s) for which the current user has table or column-level access:SHOW TABLES; To list the column(s) to which the current user hasSELECTaccess:SHOW COLUMNS; To list all the roles in the system (only for sentry ad
20、min users):SHOW ROLES; To list all the roles in effect for the current user session:SHOW CURRENT ROLES; To list all the roles assigned to the given(only allowed for Sentry admin users and others users that are part of the group specified by):SHOW ROLE GRANT GROUP ; TheSHOWstatement can also be used
21、to list the privileges that have been granted to a role or all the grants given to a role for a particular object.To list all the grants for the given(only allowed for Sentry admin users and other users that have been granted the role specified by). The following command will also list any column-le
22、vel privileges:SHOW GRANT ROLE ; To list all the grants for a role on the given(only allowed for Sentry admin users and other users that have been granted the role specified by). The following command will also list any column-level privileges:SHOW GRANT ROLE on OBJECT ;Example: Using Grant/Revoke S
23、tatements to Match an Existing Policy FileHere is a sample policy file:groups # Assigns each Hadoop group to its set of roles manager = analyst_role, junior_analyst_role analyst = analyst_role jranalyst = junior_analyst_role customers_admin = customers_admin_role admin = admin_role roles # The uris
24、below define a define a landing skid which # the user can use to import or export data from the system. # Since the server runs as the user hive files in that directory # must either have the group hive and read/write set or # be world read/write. analyst_role = server=server1-db=analyst1, server=se
25、rver1-db=jranalyst1-table=*-action=select server=server1-uri=hdfs:/ha-nn-uri/landing/analyst1 junior_analyst_role = server=server1-db=jranalyst1, server=server1-uri=hdfs:/ha-nn-uri/landing/jranalyst1 # Implies everything on server1. admin_role = server=server1The following sections show how you can
26、use the newGRANTstatements to assign privileges to roles (and assign roles to groups) to match the sample policy file above.Grant privileges toanalyst_role:CREATE ROLE analyst_role;GRANT ALL ON DATABASE analyst1 TO ROLE analyst_role;GRANT SELECT ON DATABASE jranalyst1 TO ROLE analyst_role;GRANT ALL
27、ON URI hdfs:/ha-nn-uri/landing/analyst1 TO ROLE analyst_role;Grant privileges tojunior_analyst_role:CREATE ROLE junior_analyst_role;GRANT ALL ON DATABASE jranalyst1 TO ROLE junior_analyst_role;GRANT ALL ON URI hdfs:/ha-nn-uri/landing/jranalyst1 TO ROLE junior_analyst_role;Grant privileges toadmin_role:CREATE ROLE admin_roleGRANT ALL ON SERVER server TO ROLE admin_role;Grant roles to groups:GRANT ROLE admin_role TO GROUP admin;GRANT ROLE analyst_role TO GROUP analyst;GRANT ROLE jranalyst_role TO GROUP jranalyst;
浙ICP备2021020529号-1 | 浙B2-20240490 
