1、Column-level Authorization The following command grants a role the SELECT privilege on a column: GRANT SELECT(column_name) ON TABLE table_name TO ROLE role_name; The following command can be used to revoke the SELECT privilege on a column: REVOKE SELECT(column_name) ON TABLE table_name FROM ROLE
2、 role_name; Any new columns added to a table will be inaccessible by default, until explicitly granted access. Actions allowed for users with SELECT privilege on a column: Users whose roles have been granted the SELECT privilege on columns only, can perform operations which explicitly refer to th
3、ose columns. Some examples are: · SELECT column_name FROM TABLE table_name; In this case, Sentry will first check to see if the user has the required privileges to access the table. It will then further check to see whether the user has the SELECTprivilege to access the column(s). · SELECT COUNT(
4、column_name) FROM TABLE table_name;
Users are also allowed to use the COUNT function to return the number of values in the column.
· SELECT column_name FROM TABLE table_name WHERE column_name
5、ich you already have access. · To list the column(s) to which the current user has SELECT access: SHOW COLUMNS; Exceptions: · If a user has SELECT access to all columns in a table, the following command will work. Note that this is an exception, not the norm. In all other cases, SELECT on all co
6、lumns does not allow you to perform table-level operations. SELECT * FROM TABLE table_name; · The DESCRIBE table command differs from the others, in that it does not filter out columns for which the user does not have SELECT access. DESCRIBE (table_name); Limitations: · Column-level privileges
7、can only be applied to tables and partitions, not views. · HDFS-Sentry Sync: With HDFS-Sentry sync enabled, even if a user has been granted access to all columns of a table, they will not have access to the corresponding HDFS data files. This is because Sentry does not consider SELECT on all column
8、s equivalent to explicitly being granted SELECT on the table. · Column-level access control for access from Spark SQL is not supported by the HDFS-Sentry plug-in. CREATE ROLE Statement The CREATE ROLE statement creates a role to which privileges can be granted. Privileges can be granted to roles,
9、 which can then be assigned to users. A user that has been assigned a role will only be able to exercise the privileges of that role. Only users that have administrative privileges can create/drop roles. By default, the hive, impala and hue users have admin privileges in Sentry. CREATE ROLE [role_
10、name]; DROP ROLE Statement The DROP ROLE statement can be used to remove a role from the database. Once dropped, the role will be revoked for all users to whom it was previously assigned. Queries that are already executing will not be affected. However, since Hive checks user privileges before exe
11、cuting each query, active user sessions in which the role has already been enabled will be affected. DROP ROLE [role_name]; GRANT ROLE Statement The GRANT ROLE statement can be used to grant roles to groups. Only Sentry admin users can grant roles to a group. GRANT ROLE role_name [, role_name]
12、
TO GROUP 13、VILEGE> Statement
In order to grant privileges on an object to a role, the user must be a Sentry admin user.
GRANT
14、ble. For example:
GRANT SELECT(column_name) ON TABLE table_name TO ROLE role_name;
REVOKE 15、BJECT> 16、gate granting and revoking privileges to other roles. For example, a role that is granted a privilege WITH GRANT OPTION can GRANT/REVOKE the same privilege to/from other roles. Hence, if a role has the ALL privilege on a database and the WITH GRANT OPTION set, users granted that role can execute GRA 17、NT/REVOKEstatements only for that database or child tables of the database.
GRANT
18、s. Once the following statement is executed, all privileges with and without grant option are revoked.
REVOKE
19、 To remove the WITH GRANT OPTION, revoke the privilege and grant it again without the WITH GRANT OPTION flag.
SET ROLE Statement
The SET ROLE statement can be used to specify a role to be enabled for the current session. A user can only enable a role that has been granted to them. Any roles not li 20、sted and not already enabled are disabled for the current session. If no roles are enabled, the user will have the privileges granted by any of the roles that (s)he belongs to.
· To enable a specific role:
SET ROLE 21、ONE;
SHOW Statement
· To list the database(s) for which the current user has database, table, or column-level access:
SHOW DATABASES;
· To list the table(s) for which the current user has table or column-level access:
SHOW TABLES;
· To list the column(s) to which the current user has SELECT ac 22、cess:
SHOW COLUMNS;
· To list all the roles in the system (only for sentry admin users):
SHOW ROLES;
· To list all the roles in effect for the current user session:
SHOW CURRENT ROLES;
· To list all the roles assigned to the given 23、rs that are part of the group specified by 24、y allowed for Sentry admin users and other users that have been granted the role specified by 25、s and other users that have been granted the role specified by 26、roups]
# Assigns each Hadoop group to its set of roles
manager = analyst_role, junior_analyst_role
analyst = analyst_role
jranalyst = junior_analyst_role
customers_admin = customers_admin_role
admin = admin_role
[roles] # The uris below define a define a landing skid which
# the 27、user can use to import or export data from the system.
# Since the server runs as the user "hive" files in that directory
# must either have the group hive and read/write set or
# be world read/write.
analyst_role = server=server1->db=analyst1, \
server=server1->db=jranalyst1->tabl 28、e=*->action=select
server=server1->uri=hdfs://ha-nn-uri/landing/analyst1
junior_analyst_role = server=server1->db=jranalyst1, \
server=server1->uri=hdfs://ha-nn-uri/landing/jranalyst1
# Implies everything on server1.
admin_role = server=server1
The following section 29、s show how you can use the new GRANT statements to assign privileges to roles (and assign roles to groups) to match the sample policy file above.
Grant privileges to analyst_role:
CREATE ROLE analyst_role;
GRANT ALL ON DATABASE analyst1 TO ROLE analyst_role;
GRANT SELECT ON DATABASE jranalyst1 T 30、O ROLE analyst_role;
GRANT ALL ON URI 'hdfs://ha-nn-uri/landing/analyst1' \
TO ROLE analyst_role;
Grant privileges to junior_analyst_role:
CREATE ROLE junior_analyst_role;
GRANT ALL ON DATABASE jranalyst1 TO ROLE junior_analyst_role;
GRANT ALL ON URI 'hdfs://ha-nn-uri/landing/jranalyst1' \
TO ROLE junior_analyst_role;
Grant privileges to admin_role:
CREATE ROLE admin_role
GRANT ALL ON SERVER server TO ROLE admin_role;
Grant roles to groups:
GRANT ROLE admin_role TO GROUP admin;
GRANT ROLE analyst_role TO GROUP analyst;
GRANT ROLE jranalyst_role TO GROUP jranalyst;






