IMPALA-6651: [DOCS] Fine grained privileges Change-Id: I7b018bf847537ed461df6d9caee99f90b139f8ab Cherry-picks: not for 2.x. Reviewed-on: http://gerrit.cloudera.org:8080/10079 Reviewed-by: Alex Behm <[email protected]> Tested-by: Impala Public Jenkins <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/impala/repo Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/22714a7a Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/22714a7a Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/22714a7a Branch: refs/heads/master Commit: 22714a7ab127b3871aa1cc5c97ff415a48ce2f85 Parents: ddc795d Author: Alex Rodoni <[email protected]> Authored: Sat Apr 14 08:32:06 2018 -0700 Committer: Impala Public Jenkins <[email protected]> Committed: Thu Apr 19 04:30:01 2018 +0000 ---------------------------------------------------------------------- docs/topics/impala_grant.xml | 163 +++++++++++++++++++++++++++++++------ docs/topics/impala_revoke.xml | 43 ++++++---- 2 files changed, 165 insertions(+), 41 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/impala/blob/22714a7a/docs/topics/impala_grant.xml ---------------------------------------------------------------------- diff --git a/docs/topics/impala_grant.xml b/docs/topics/impala_grant.xml index 03ad518..956a458 100644 --- a/docs/topics/impala_grant.xml +++ b/docs/topics/impala_grant.xml @@ -40,10 +40,9 @@ under the License. <conbody> <p rev="2.0.0"> - <indexterm audience="hidden">GRANT statement</indexterm> -<!-- Copied from Sentry docs. Turn into conref. I did some rewording for clarity. --> - The <codeph>GRANT</codeph> statement grants roles or privileges on specified objects to groups. Only Sentry - administrative users can grant roles to a group. + <indexterm audience="hidden">GRANT statement</indexterm> The + <codeph>GRANT</codeph> statement grants a privilege on a specified object + to a role or grants a role to a group. </p> <p conref="../shared/impala_common.xml#common/syntax_blurb"/> @@ -54,8 +53,8 @@ GRANT <varname>privilege</varname> ON <varname>object_type</varname> <varname>ob TO [ROLE] <varname>roleName</varname> [WITH GRANT OPTION] -<ph rev="2.3.0">privilege ::= SELECT | SELECT(<varname>column_name</varname>) | INSERT | ALL</ph> -object_type ::= TABLE | DATABASE | SERVER | URI +<ph id="privileges" rev="3.0">privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(<varname>column_name</varname>)</ph> +<ph id="priv_objs" rev="3.0">object_type ::= TABLE | DATABASE | SERVER | URI</ph> </codeblock> <p> @@ -67,36 +66,148 @@ object_type ::= TABLE | DATABASE | SERVER | URI <p conref="../shared/impala_common.xml#common/privileges_blurb"/> <p> -<!-- To do: The wording here can be fluid, and it's reused in several statements. Turn into a conref. --> - Only administrative users (initially, a predefined set of users specified in the Sentry service configuration - file) can use this statement. + Only administrative users (initially, a predefined set of users + specified in the Sentry service configuration file) can use this + statement. </p> + <p>Only Sentry administrative users can grant roles to a group. </p> + + <p> The <codeph>WITH GRANT OPTION</codeph> clause allows members of the + specified role to issue <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> + statements for those same privileges Hence, if a role has the + <codeph>ALL</codeph> privilege on a database and the <codeph>WITH GRANT + OPTION</codeph> set, users granted that role can execute + <codeph>GRANT</codeph>/<codeph>REVOKE</codeph> statements only for that + database or child tables of the database. This means a user could revoke + the privileges of the user that provided them the <codeph>GRANT + OPTION</codeph>. </p> + + <p> Impala does not currently support revoking only the <codeph>WITH GRANT + OPTION</codeph> from a privilege previously granted to a role. To remove + the <codeph>WITH GRANT OPTION</codeph>, revoke the privilege and grant it + again without the <codeph>WITH GRANT OPTION</codeph> flag. </p> + <p rev="2.3.0 collevelauth"> + The ability to grant or revoke <codeph>SELECT</codeph> privilege on specific columns is available + in <keyword keyref="impala23_full"/> and higher. See <xref keyref="sg_hive_sql"/> for details. + </p> <p> - The <codeph>WITH GRANT OPTION</codeph> clause allows members of the specified role to issue - <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements for those same privileges -<!-- Copied from Sentry docs. Turn into conref. I did some rewording for clarity. --> - Hence, if a role has the <codeph>ALL</codeph> privilege on a database and the <codeph>WITH GRANT - OPTION</codeph> set, users granted that role can execute <codeph>GRANT</codeph>/<codeph>REVOKE</codeph> - statements only for that database or child tables of the database. This means a user could revoke the - privileges of the user that provided them the <codeph>GRANT OPTION</codeph>. + <b>Usage notes:</b> </p> <p> -<!-- Copied from Sentry docs. Turn into conref. Except I changed Hive to Impala. --> - Impala does not currently support revoking only the <codeph>WITH GRANT OPTION</codeph> from a privilege - previously granted to a role. To remove the <codeph>WITH GRANT OPTION</codeph>, revoke the privilege and - grant it again without the <codeph>WITH GRANT OPTION</codeph> flag. + You can only grant the <codeph>ALL</codeph> privilege to the + <codeph>URI</codeph> object. Finer-grained privileges mentioned below on + a <codeph>URI</codeph> are not supported. </p> - <p rev="2.3.0 collevelauth"> - The ability to grant or revoke <codeph>SELECT</codeph> privilege on specific columns is available - in <keyword keyref="impala23_full"/> and higher. See <xref keyref="sg_hive_sql"/> for details. + <p> + Starting in <keyword keyref="impala30_full"/>, finer grained privileges + are enforced as below.<simpletable frame="all" relcolwidth="1* 1* 1*" + id="simpletable_kmb_ppn_ndb"> + <sthead> + <stentry>Privilege</stentry> + <stentry>Scope</stentry> + <stentry>SQL Allowed to Execute</stentry> + </sthead> + <strow> + <stentry><codeph>REFRESH</codeph></stentry> + <stentry><codeph>SERVER</codeph></stentry> + <stentry><codeph>INVALIDATE METADATA</codeph> on all tables in all + databases<p><codeph>REFRESH</codeph> on all tables and functions + in all databases</p></stentry> + </strow> + <strow> + <stentry><codeph>REFRESH</codeph></stentry> + <stentry><codeph>DATABASE</codeph></stentry> + <stentry><codeph>INVALIDATE METADATA</codeph> on all tables in the + named database<p><codeph>REFRESH</codeph> on all tables and + functions in the named database</p></stentry> + </strow> + <strow> + <stentry><codeph>REFRESH</codeph></stentry> + <stentry><codeph>TABLE</codeph></stentry> + <stentry><codeph>INVALIDATE METADATA</codeph> on the named + table<p><codeph>REFRESH</codeph> on the named + table</p></stentry> + </strow> + <strow> + <stentry><codeph>CREATE</codeph></stentry> + <stentry><codeph>SERVER</codeph></stentry> + <stentry><codeph>CREATE DATABASE</codeph> on all + databases<p><codeph>CREATE TABLE</codeph> on all + tables</p></stentry> + </strow> + <strow> + <stentry><codeph>CREATE</codeph></stentry> + <stentry><codeph>DATABASE</codeph></stentry> + <stentry><codeph>CREATE TABLE</codeph> on all tables in the named + database</stentry> + </strow> + <strow> + <stentry><codeph>DROP</codeph></stentry> + <stentry><codeph>SERVER</codeph></stentry> + <stentry><codeph>DROP DATBASE</codeph> on all databases<p><codeph>DROP + TABLE</codeph> on all tables</p></stentry> + </strow> + <strow> + <stentry><codeph>DROP</codeph></stentry> + <stentry><codeph>DATABASE</codeph></stentry> + <stentry><codeph>DROP DATABASE</codeph> on the named + database<p><codeph>DROP TABLE</codeph> on all tables in the + named database</p></stentry> + </strow> + <strow> + <stentry><codeph>DROP</codeph></stentry> + <stentry><codeph>TABLE</codeph></stentry> + <stentry><codeph>DROP TABLE</codeph> on the named table</stentry> + </strow> + <strow> + <stentry><codeph>ALTER</codeph></stentry> + <stentry><codeph>SERVER</codeph></stentry> + <stentry><codeph>ALTER TABLE</codeph> on all tables</stentry> + </strow> + <strow> + <stentry><codeph>ALTER</codeph></stentry> + <stentry><codeph>DATABASE</codeph></stentry> + <stentry><codeph>ALTER TABLE</codeph> on the tables in the named + database</stentry> + </strow> + <strow> + <stentry><codeph>ALTER</codeph></stentry> + <stentry><codeph>TABLE</codeph></stentry> + <stentry><codeph>ALTER TABLE</codeph> on the named table</stentry> + </strow> + </simpletable> </p> -<!-- Turn compatibility info into a conref or series of conrefs. (In both GRANT and REVOKE.) --> - -<!-- If they diverge during development, consider the version here in GRANT the authoritative one. --> + <p> + <note> + <p> + <ul> + <li> + <codeph>ALTER TABLE RENAME</codeph> requires the + <codeph>ALTER</codeph> privilege at the <codeph>TABLE</codeph> + level and the <codeph>CREATE</codeph> privilege at the + <codeph>DATABASE</codeph> level. + </li> + + <li> + <codeph>CREATE TABLE AS SELECT</codeph> requires the + <codeph>CREATE</codeph> privilege on the database that should + contain the new table and the <codeph>SELECT</codeph> privilege on + the tables referenced in the query portion of the statement. + </li> + + <li> + <codeph>COMPUTE STATS</codeph> requires the + <codeph>ALTER</codeph> and <codeph>SELECT</codeph> privileges on + the target table. + </li> + </ul> + </p> + </note> + </p> <p conref="../shared/impala_common.xml#common/compatibility_blurb"/> http://git-wip-us.apache.org/repos/asf/impala/blob/22714a7a/docs/topics/impala_revoke.xml ---------------------------------------------------------------------- diff --git a/docs/topics/impala_revoke.xml b/docs/topics/impala_revoke.xml index 78eda00..4c997f8 100644 --- a/docs/topics/impala_revoke.xml +++ b/docs/topics/impala_revoke.xml @@ -40,12 +40,8 @@ under the License. <conbody> <p rev="2.0.0"> - <indexterm audience="hidden">REVOKE statement</indexterm> -<!-- Copied from Sentry docs. Turn into conref. I did some rewording for clarity. --> - The <codeph>REVOKE</codeph> statement revokes roles or privileges on a specified object from groups. Only - Sentry administrative users can revoke the role from a group. The revocation has a cascading effect. For - example, revoking the <codeph>ALL</codeph> privilege on a database also revokes the same privilege for all - the tables in that database. + The <codeph>REVOKE</codeph> statement revokes roles or + privileges on a specified object from groups. </p> <p conref="../shared/impala_common.xml#common/syntax_blurb"/> @@ -55,11 +51,29 @@ under the License. REVOKE <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname> FROM [ROLE] <varname>role_name</varname> -<ph rev="2.3.0">privilege ::= SELECT | SELECT(<varname>column_name</varname>) | INSERT | ALL</ph> -object_type ::= TABLE | DATABASE | SERVER | URI +<ph rev="3.0"> + privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(<varname>column_name</varname>) +</ph> +<ph rev="3.0"> + object_type ::= TABLE | DATABASE | SERVER | URI +</ph> </codeblock> <p> + See <keyword keyref="grant"/> for the required privileges and the scope + for SQL operations. + </p> + + <p> + The <codeph>ALL</codeph> privilege is a distinct privilege and not a + union of all other privileges. Revoking <codeph>SELECT</codeph>, + <codeph>INSERT</codeph>, etc. from a role that only has the + <codeph>ALL</codeph> privilege has no effect. To reduce the privileges + of that role you must <codeph>REVOKE ALL</codeph> and + <codeph>GRANT</codeph> the desired privileges. + </p> + + <p> Typically, the object name is an identifier. For URIs, it is a string literal. </p> @@ -75,16 +89,15 @@ object_type ::= TABLE | DATABASE | SERVER | URI Only administrative users (those with <codeph>ALL</codeph> privileges on the server, defined in the Sentry policy file) can use this statement. </p> - -<!-- Turn compatibility info into a conref or series of conrefs. (In both GRANT and REVOKE.) --> + <p>Only Sentry administrative users can revoke the role from a group.</p> <p conref="../shared/impala_common.xml#common/compatibility_blurb"/> <p> <ul> <li> - The Impala <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements are available in <keyword keyref="impala20_full"/> and - higher. + The <codeph>REVOKE</codeph> statements are available in <keyword + keyref="impala20_full"/> and higher. </li> <li> @@ -94,9 +107,9 @@ object_type ::= TABLE | DATABASE | SERVER | URI </li> <li> - The Impala <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements do not require the - <codeph>ROLE</codeph> keyword to be repeated before each role name, unlike the equivalent Hive - statements. + The Impala <codeph>REVOKE</codeph> statements do not require the + <codeph>ROLE</codeph> keyword to be repeated before each role name, + unlike the equivalent Hive statements. </li> <li conref="../shared/impala_common.xml#common/grant_revoke_single"/>
