hive+senrty 权限命令(beeline).docx

Column-level AuthorizationThe following command grants a role the?SELECT?privilege on a column:GRANT SELECT(column_name) ON TABLE table_name TO ROLE role_name;The following command can be used to revoke the?SELECT?privilege on a column:REVOKE SELECT(column_name) ON TABLE table_name FROM ROLE role_name;Any new columns added to a table will be inaccessible by default, until explicitly granted access.Actions allowed for users with SELECT privilege on a column:Users whose roles have been granted the?SELECT?privilege on columns only, can perform operations which explicitly refer to those columns. Some examples are:SELECT column_name FROM TABLE table_name;In this case, Sentry will first check to see if the user has the required privileges to access the table. It will then further check to see whether the user has the?SELECTprivilege to access the column(s).SELECT COUNT(column_name) FROM TABLE table_name;Users are also allowed to use the?COUNT?function to return the number of values in the column.SELECT column_name FROM TABLE table_name WHERE column_name operator GROUP BY column_name; The above command will work as long as you refer only to columns to which you already have access.To list the column(s) to which the current user has?SELECT?access:SHOW COLUMNS;Exceptions:If a user has?SELECT?access to all columns in a table, the following command will work. Note that this is an exception, not the norm. In all other cases,?SELECT?on all columns does?not?allow you to perform table-level operations.SELECT * FROM TABLE table_name;The?DESCRIBE?table command differs from the others, in that it does not filter out columns for which the user does not have?SELECT?access.DESCRIBE (table_name);Limitations:Column-level privileges can only be applied to tables and partitions, not views.HDFS-Sentry Sync:?With HDFS-Sentry sync enabled, even if a user has been granted access to all columns of a table, they will not have access to the corresponding HDFS data files. This is because Sentry do