IMPALA-6883: [DOCS] Refactor impala_authorization doc Change-Id: I3df72adb25dcdcbc286934b048645f47d876b33d Reviewed-on: http://gerrit.cloudera.org:8080/10786 Reviewed-by: Alex Rodoni <[email protected]> Tested-by: Impala Public Jenkins <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/impala/repo Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/4ff9f5f3 Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/4ff9f5f3 Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/4ff9f5f3 Branch: refs/heads/master Commit: 4ff9f5f3d280607ca523652319c8691803c5db57 Parents: 30e82c6 Author: Alex Rodoni <[email protected]> Authored: Thu Jun 21 13:44:38 2018 -0700 Committer: Impala Public Jenkins <[email protected]> Committed: Tue Jul 3 23:21:07 2018 +0000 ---------------------------------------------------------------------- docs/shared/impala_common.xml | 867 ++++++++++++++---------------- docs/topics/impala_authorization.xml | 266 ++++----- docs/topics/impala_grant.xml | 111 +--- 3 files changed, 543 insertions(+), 701 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/impala/blob/4ff9f5f3/docs/shared/impala_common.xml ---------------------------------------------------------------------- diff --git a/docs/shared/impala_common.xml b/docs/shared/impala_common.xml index 6faa9c1..4dcfffb 100644 --- a/docs/shared/impala_common.xml +++ b/docs/shared/impala_common.xml @@ -115,451 +115,388 @@ under the License. nested topics at the end of this file. </p> - <table id="sentry_privileges_objects"> - <title>Valid privilege types and objects they apply to</title> - <tgroup cols="2"> - <colspec colnum="1" colname="col1" colwidth="1*"/> - <colspec colnum="2" colname="col2" colwidth="2*"/> - <thead> - <row> - <entry><b>Privilege</b></entry> - <entry><b>Object</b></entry> - </row> - </thead> - <tbody> - <row> - <entry>INSERT</entry> - <entry>DB, TABLE</entry> - </row> - <row> - <entry>SELECT</entry> - <entry>DB, TABLE, COLUMN</entry> - </row> - <row> - <entry>ALL</entry> - <entry>SERVER, TABLE, DB, URI</entry> - </row> - </tbody> - </tgroup> - </table> - - <table id="privileges_sql"> - <title>Privilege table for Hive & Impala operations</title> - <tgroup cols="4"> - <colspec colnum="1" colname="col1" colwidth="1.31*"/> - <colspec colnum="2" colname="col2" colwidth="1.17*"/> - <colspec colnum="3" colname="col3" colwidth="1*"/> - <colspec colname="newCol4" colnum="4" colwidth="1*"/> - <thead> - <row> - <entry>Operation</entry> - <entry>Scope</entry> - <entry>Privileges Required</entry> - <entry>URI</entry> - </row> - </thead> - <tbody> - <row id="create_database_privs"> - <entry>CREATE DATABASE</entry> - <entry>SERVER</entry> - <entry>ALL</entry> - <entry/> - </row> - <row id="drop_database_privs"> - <entry>DROP DATABASE</entry> - <entry>DATABASE</entry> - <entry>ALL</entry> - <entry/> - </row> - <row id="create_table_privs"> - <entry>CREATE TABLE</entry> - <entry>DATABASE</entry> - <entry>ALL</entry> - <entry/> - </row> - <row id="drop_table_privs"> - <entry>DROP TABLE</entry> - <entry>TABLE</entry> - <entry>ALL</entry> - <entry/> - </row> - <row id="create_view_privs"> - <entry>CREATE VIEW<p>-This operation is allowed if you have - column-level <codeph>SELECT</codeph> access to the columns - being used.</p></entry> - <entry>DATABASE; SELECT on TABLE; </entry> - <entry>ALL</entry> - <entry/> - </row> - <row> - <entry>ALTER VIEW<p>-This operation is allowed if you have - column-level <codeph>SELECT</codeph> access to the columns - being used.</p></entry> - <entry>VIEW/TABLE</entry> - <entry>ALL</entry> - <entry/> - </row> - <row id="drop_view_privs"> - <entry>DROP VIEW</entry> - <entry>VIEW/TABLE</entry> - <entry>ALL</entry> - <entry/> - </row> - <row id="alter_table_add_columns_privs"> - <entry>ALTER TABLE .. ADD COLUMNS</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="alter_table_replace_columns_privs"> - <entry>ALTER TABLE .. REPLACE COLUMNS</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="alter_table_change_column_privs"> - <entry>ALTER TABLE .. CHANGE column</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="alter_table_rename_privs"> - <entry>ALTER TABLE .. RENAME</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="alter_table_set_tblproperties_privs"> - <entry>ALTER TABLE .. SET TBLPROPERTIES</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="alter_table_set_fileformat_privs"> - <entry>ALTER TABLE .. SET FILEFORMAT</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="alter_table_set_location_privs"> - <entry>ALTER TABLE .. SET LOCATION</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry>URI</entry> - </row> - <row id="alter_table_add_partition_privs"> - <entry>ALTER TABLE .. ADD PARTITION</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="alter_table_add_partition_location_privs"> - <entry>ALTER TABLE .. ADD PARTITION location</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry>URI</entry> - </row> - <row id="alter_table_drop_partition_privs"> - <entry>ALTER TABLE .. DROP PARTITION</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="alter_table_partition_set_fileformat_privs"> - <entry>ALTER TABLE .. PARTITION SET FILEFORMAT</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="show_create_table_privs"> - <entry>SHOW CREATE TABLE</entry> - <entry>TABLE</entry> - <entry>SELECT/INSERT</entry> - <entry/> - </row> - <row id="show_partitions_privs"> - <entry>SHOW PARTITIONS</entry> - <entry>TABLE</entry> - <entry>SELECT/INSERT</entry> - <entry/> - </row> - <row> - <entry>SHOW TABLES<p>-Output includes all the tables for which - the user has table-level privileges and all the tables for - which the user has some column-level privileges.</p></entry> - <entry>TABLE</entry> - <entry>SELECT/INSERT</entry> - <entry/> - </row> - <row> - <entry>SHOW GRANT ROLE<p>-Output includes an additional field - for any column-level privileges.</p></entry> - <entry>TABLE</entry> - <entry>SELECT/INSERT</entry> - <entry/> - </row> - <row id="describe_table_privs"> - <entry>DESCRIBE TABLE<p>-Output shows <i>all</i> columns if the - user has table level-privileges or <codeph>SELECT</codeph> - privilege on at least one table column</p></entry> - <entry>TABLE</entry> - <entry>SELECT/INSERT</entry> - <entry/> - </row> - <row id="load_data_privs"> - <entry>LOAD DATA</entry> - <entry>TABLE</entry> - <entry>INSERT</entry> - <entry>URI</entry> - </row> - <row id="select_privs"> - <entry>SELECT<p>-You can grant the SELECT privilege on a view to - give users access to specific columns of a table they do not - otherwise have access to.</p><p>-See - <xref keyref="sg_hive_sql"/> - for details on allowed column-level - operations.</p></entry> - <entry>VIEW/TABLE; COLUMN</entry> - <entry>SELECT</entry> - <entry/> - </row> - <row id="insert_overwrite_table_privs"> - <entry>INSERT OVERWRITE TABLE</entry> - <entry>TABLE</entry> - <entry>INSERT</entry> - <entry/> - </row> - <row id="create_table_as_select_privs"> - <entry>CREATE TABLE .. AS SELECT<p>-This operation is allowed if - you have column-level <codeph>SELECT</codeph> access to the - columns being used.</p></entry> - <entry>DATABASE; SELECT on TABLE</entry> - <entry>ALL</entry> - <entry/> - </row> - <row id="use_privs"> - <entry>USE <dbName></entry> - <entry>Any</entry> - <entry/> - <entry/> - </row> - <row id="create_function_privs"> - <entry>CREATE FUNCTION</entry> - <entry>SERVER</entry> - <entry>ALL</entry> - <entry/> - </row> - <row id="alter_table_set_serdeproperties_privs"> - <entry>ALTER TABLE .. SET SERDEPROPERTIES</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row> - <entry>ALTER TABLE .. PARTITION SET SERDEPROPERTIES</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="_privs"> - <entry namest="col1" nameend="newCol4"><b>Hive-Only - Operations</b></entry> - </row> - <row id="insert_overwrite_directory_privs"> - <entry>INSERT OVERWRITE DIRECTORY</entry> - <entry>TABLE</entry> - <entry>INSERT</entry> - <entry>URI</entry> - </row> - <row id="analyze_table_privs"> - <entry>Analyze TABLE</entry> - <entry>TABLE</entry> - <entry>SELECT + INSERT</entry> - <entry/> - </row> - <row id="import_table_privs"> - <entry>IMPORT TABLE</entry> - <entry>DATABASE</entry> - <entry>ALL</entry> - <entry>URI</entry> - </row> - <row id="export_table_privs"> - <entry>EXPORT TABLE</entry> - <entry>TABLE</entry> - <entry>SELECT</entry> - <entry>URI</entry> - </row> - <row id="alter_table_touch_privs"> - <entry>ALTER TABLE TOUCH</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="alter_table_touch_partition_privs"> - <entry>ALTER TABLE TOUCH PARTITION</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="alter_table_clustered_by_privs"> - <entry>ALTER TABLE .. CLUSTERED BY SORTED BY</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="alter_table_enable_privs"> - <entry>ALTER TABLE .. ENABLE/DISABLE</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="alter_table_partition_enable_privs"> - <entry>ALTER TABLE .. PARTITION ENABLE/DISABLE</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row id="alter_table_partition_rename_privs"> - <entry>ALTER TABLE .. PARTITION.. RENAME TO PARTITION</entry> - <entry>TABLE</entry> - <entry>ALL on DATABASE</entry> - <entry/> - </row> - <row> - <entry>MSCK REPAIR TABLE</entry> - <entry>TABLE</entry> - <entry>ALL</entry> - <entry/> - </row> - <row id="alter_database_privs"> - <entry>ALTER DATABASE</entry> - <entry>DATABASE</entry> - <entry>ALL</entry> - <entry/> - </row> - <row id="describe_database_privs"> - <entry>DESCRIBE DATABASE</entry> - <entry>DATABASE</entry> - <entry>SELECT/INSERT</entry> - <entry/> - </row> - <row id="show_columns_privs"> - <entry>SHOW COLUMNS<p>-Output for this operation filters columns - to which the user does not have explicit - <codeph>SELECT</codeph> access </p></entry> - <entry>TABLE</entry> - <entry>SELECT/INSERT</entry> - <entry/> - </row> - <row id="create_index_privs"> - <entry>CREATE INDEX</entry> - <entry>TABLE</entry> - <entry>ALL</entry> - <entry/> - </row> - <row id="drop_index_privs"> - <entry>DROP INDEX</entry> - <entry>TABLE</entry> - <entry>ALL</entry> - <entry/> - </row> - <row id="show_indexes_privs"> - <entry>SHOW INDEXES</entry> - <entry>TABLE</entry> - <entry>SELECT/INSERT</entry> - <entry/> - </row> - <row id="grant_privs"> - <entry>GRANT PRIVILEGE</entry> - <entry>Allowed only for Sentry admin users</entry> - <entry/> - <entry/> - </row> - <row id="revoke_privs"> - <entry>REVOKE PRIVILEGE</entry> - <entry>Allowed only for Sentry admin users</entry> - <entry/> - <entry/> - </row> - <row id="show_grants_privs"> - <entry>SHOW GRANTS</entry> - <entry>Allowed only for Sentry admin users</entry> - <entry/> - <entry/> - </row> - <row id="show_tblproperties_privs"> - <entry>SHOW TBLPROPERTIES</entry> - <entry>TABLE</entry> - <entry>SELECT/INSERT</entry> - <entry/> - </row> - <row id="describe_table_partition_privs"> - <entry>DESCRIBE TABLE .. PARTITION</entry> - <entry>TABLE</entry> - <entry>SELECT/INSERT</entry> - <entry/> - </row> - <row id="add_jar_privs"> - <entry>ADD JAR</entry> - <entry>Not Allowed</entry> - <entry/> - <entry/> - </row> - <row id="add_file_privs"> - <entry>ADD FILE</entry> - <entry>Not Allowed</entry> - <entry/> - <entry/> - </row> - <row id="dfs_privs"> - <entry>DFS</entry> - <entry>Not Allowed</entry> - <entry/> - <entry/> - </row> - <row> - <entry namest="col1" nameend="newCol4"><b>Impala-Only - Operations</b></entry> - </row> - <row id="explain_privs"> - <entry>EXPLAIN</entry> - <entry>TABLE; COLUMN</entry> - <entry>SELECT</entry> - <entry/> - </row> - <row id="invalidate_metadata_privs"> - <entry>INVALIDATE METADATA</entry> - <entry>SERVER</entry> - <entry>ALL</entry> - <entry/> - </row> - <row id="invalidate_metadata_table_privs"> - <entry>INVALIDATE METADATA <table name></entry> - <entry>TABLE</entry> - <entry>SELECT/INSERT</entry> - <entry/> - </row> - <row id="refresh_privs"> - <entry>REFRESH <table name> or REFRESH <table name> PARTITION (<partition_spec>)</entry> - <entry>TABLE</entry> - <entry>SELECT/INSERT</entry> - <entry/> - </row> - <row id="drop_function_privs"> - <entry>DROP FUNCTION</entry> - <entry>SERVER</entry> - <entry>ALL</entry> - <entry/> - </row> - <row id="compute_stats_privs"> - <entry>COMPUTE STATS</entry> - <entry>TABLE</entry> - <entry>ALL</entry> - <entry/> - </row> - </tbody> - </tgroup> - </table> + <p id="sentry_privileges_objects">The table below lists the minimum level + of privileges and the scope required to execute SQL statements in + <keyword keyref="impala30_full"/> and higher. The following notations + are used:<ul> + <li><b>ANY</b> denotes the <codeph>SELECT</codeph>, + <codeph>INSERT</codeph>, <codeph>CREATE</codeph>, + <codeph>ALTER</codeph>, <codeph>DROP</codeph>, <b><i>or</i></b> + <codeph>REFRESH</codeph> privilege.</li> + <li><b>ALL</b> privilege denotes the <codeph>SELECT</codeph>, + <codeph>INSERT</codeph>, <codeph>CREATE</codeph>, + <codeph>ALTER</codeph>, <codeph>DROP</codeph>, <b><i>and</i></b> + <codeph>REFRESH</codeph> privileges.</li> + <li>The parent levels of the specified scope are implicitly supported. + For example, if a privilege is listed with the + <codeph>TABLE</codeph> scope, the same privilege granted on + <codeph>DATABASE</codeph> and <codeph>SERVER</codeph> will allow + the user to execute the specified SQL statement.</li> + </ul><table id="sentry_privileges_objects_tab" frame="all" colsep="1" + rowsep="1"> + <tgroup cols="3"> + <colspec colnum="1" colname="col1"/> + <colspec colnum="2" colname="col2"/> + <colspec colnum="3" colname="col3"/> + <tbody> + <row> + <entry><b>SQL Statement</b></entry> + <entry><b>Privileges</b></entry> + <entry><b>Scope</b></entry> + </row> + <row> + <entry>SELECT</entry> + <entry>SELECT</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>WITH SELECT</entry> + <entry>SELECT</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>EXPLAIN SELECT</entry> + <entry>SELECT</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>INSERT</entry> + <entry>INSERT</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>EXPLAIN INSERT</entry> + <entry>INSERT</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>TRUNCATE</entry> + <entry>INSERT</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>LOAD</entry> + <entry>INSERT</entry> + <entry>TABLE</entry> + </row> + <row> + <entry/> + <entry>ALL</entry> + <entry>URI</entry> + </row> + <row> + <entry>CREATE DATABASE</entry> + <entry>CREATE</entry> + <entry>SERVER</entry> + </row> + <row> + <entry>CREATE DATABASE LOCATION</entry> + <entry>CREATE</entry> + <entry>SERVER</entry> + </row> + <row> + <entry/> + <entry>ALL</entry> + <entry>URI</entry> + </row> + <row> + <entry>CREATE TABLE</entry> + <entry>CREATE</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry>CREATE TABLE LIKE</entry> + <entry>CREATE</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry/> + <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>CREATE TABLE AS SELECT</entry> + <entry>CREATE</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry/> + <entry>INSERT</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry/> + <entry>SELECT</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>EXPLAIN CREATE TABLE AS SELECT</entry> + <entry>CREATE</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry/> + <entry>INSERT</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry/> + <entry>SELECT</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>CREATE TABLE LOCATION</entry> + <entry>CREATE</entry> + <entry>TABLE</entry> + </row> + <row> + <entry/> + <entry>ALL</entry> + <entry>URI</entry> + </row> + <row> + <entry>CREATE VIEW</entry> + <entry>CREATE</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry/> + <entry>SELECT</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>ALTER DATABASE</entry> + <entry>ALTER</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry>ALTER TABLE</entry> + <entry>ALTER</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>ALTER TABLE SET LOCATION</entry> + <entry>ALTER</entry> + <entry>TABLE</entry> + </row> + <row> + <entry/> + <entry>ALL</entry> + <entry>URI</entry> + </row> + <row> + <entry>ALTER TABLE RENAME</entry> + <entry>CREATE</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry/> + <entry>ALTER</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>ALTER VIEW</entry> + <entry>ALTER</entry> + <entry>TABLE</entry> + </row> + <row> + <entry/> + <entry>SELECT</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>ALTER VIEW RENAME</entry> + <entry>CREATE</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry/> + <entry>ALTER</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>DROP DATABASE</entry> + <entry>DROP</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry>DROP TABLE</entry> + <entry>DROP</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>DROP VIEW</entry> + <entry>DROP</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>CREATE FUNCTION</entry> + <entry>CREATE</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry/> + <entry>ALL</entry> + <entry>URI</entry> + </row> + <row> + <entry>DROP FUNCTION</entry> + <entry>DROP</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry>COMPUTE STATS</entry> + <entry>ALTER and SELECT</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>DROP STATS</entry> + <entry>ALTER</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>INVALIDATE METADATA</entry> + <entry>REFRESH</entry> + <entry>SERVER</entry> + </row> + <row> + <entry>INVALIDATE METADATA <table></entry> + <entry>REFRESH</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>REFRESH <table></entry> + <entry>REFRESH</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>REFRESH FUNCTIONS</entry> + <entry>REFRESH</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry>COMMENT ON DATABASE</entry> + <entry>ALTER</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry>COMMENT ON TABLE</entry> + <entry>ALTER</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>COMMENT ON VIEW</entry> + <entry>ALTER</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>DESCRIBE DATABASE</entry> + <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry>DESCRIBE <table/view></entry> + <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>USE</entry> + <entry>ANY</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>SHOW DATABASES</entry> + <entry>ANY</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>SHOW TABLES</entry> + <entry>ANY</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>SHOW FUNCTIONS</entry> + <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry>SHOW PARTITIONS</entry> + <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>SHOW TABLE STATS</entry> + <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>SHOW COLUMN STATS</entry> + <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>SHOW FILES</entry> + <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>SHOW CREATE TABLE</entry> + <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>SHOW CREATE VIEW</entry> + <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>SHOW CREATE FUNCTION</entry> + <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry> + <entry>DATABASE</entry> + </row> + <row> + <entry>SHOW RANGE PARTITIONS (Kudu only)</entry> + <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry> + <entry>TABLE</entry> + </row> + <row> + <entry>UPDATE (Kudu only)</entry> + <entry>ALL</entry> + <entry>SERVER</entry> + </row> + <row> + <entry>EXPLAIN UPDATE (Kudu only)</entry> + <entry>ALL</entry> + <entry>SERVER</entry> + </row> + <row> + <entry>UPSERT (Kudu only)</entry> + <entry>ALL</entry> + <entry>SERVER</entry> + </row> + <row> + <entry>WITH UPSERT (Kudu only)</entry> + <entry>ALL</entry> + <entry>SERVER</entry> + </row> + <row> + <entry>EXPLAIN UPSERT (Kudu only)</entry> + <entry>ALL</entry> + <entry>SERVER</entry> + </row> + <row> + <entry>DELETE (Kudu only)</entry> + <entry>ALL</entry> + <entry>SERVER</entry> + </row> + <row> + <entry>EXPLAIN DELETE (Kudu only)</entry> + <entry>ALL</entry> + <entry>SERVER</entry> + </row> + </tbody> + </tgroup> + </table></p> <p rev="IMPALA-2660" id="auth_to_local_instructions"> In <keyword keyref="impala26_full"/> and higher, Impala recognizes the <codeph>auth_to_local</codeph> setting, @@ -590,29 +527,23 @@ under the License. <b><ph id="title_sentry_debug">Debugging Failed Sentry Authorization Requests</ph></b> </p> - <p id="sentry_debug"> - Sentry logs all facts that lead up to authorization decisions at the debug level. If you do not understand - why Sentry is denying access, the best way to debug is to temporarily turn on debug logging: - <ul> - <li> - Add <codeph>log4j.logger.org.apache.sentry=DEBUG</codeph> to the <filepath>log4j.properties</filepath> - file on each host in the cluster, in the appropriate configuration directory for each service. - </li> - </ul> - Specifically, look for exceptions and messages such as: -<codeblock xml:space="preserve">FilePermission server..., RequestPermission server...., result [true|false]</codeblock> - which indicate each evaluation Sentry makes. The <codeph>FilePermission</codeph> is from the policy file, - while <codeph>RequestPermission</codeph> is the privilege required for the query. A - <codeph>RequestPermission</codeph> will iterate over all appropriate <codeph>FilePermission</codeph> - settings until a match is found. If no matching privilege is found, Sentry returns <codeph>false</codeph> - indicating <q>Access Denied</q> . -<!-- -[1] -Impala: Impala Daemon -> Advanced -> Impala Daemon Logging Safety Valve -Hive: Hive Server 2 -> Advanced -> HiveServer2 Logging Safety Valve -Search: Solr Server -> Advanced -> HiveServer2 Logging Safety Valve ---> - </p> + <p id="sentry_debug"> Sentry logs all facts that lead up to authorization + decisions at the debug level. If you do not understand why Sentry is + denying access, the best way to debug is to temporarily turn on debug + logging: <ul> + <li> Add <codeph>log4j.logger.org.apache.sentry=DEBUG</codeph> to the + <filepath>log4j.properties</filepath> file on each host in the + cluster, in the appropriate configuration directory for each + service. </li> + </ul> Specifically, look for exceptions and messages such as: + <codeblock xml:space="preserve">FilePermission server..., RequestPermission server...., result [true|false]</codeblock> + which indicate each evaluation Sentry makes. The + <codeph>FilePermission</codeph> is from the policy file, while + <codeph>RequestPermission</codeph> is the privilege required for the + query. A <codeph>RequestPermission</codeph> will iterate over all + appropriate <codeph>FilePermission</codeph> settings until a match is + found. If no matching privilege is found, Sentry returns + <codeph>false</codeph> indicating <q>Access Denied</q>.</p> </section> http://git-wip-us.apache.org/repos/asf/impala/blob/4ff9f5f3/docs/topics/impala_authorization.xml ---------------------------------------------------------------------- diff --git a/docs/topics/impala_authorization.xml b/docs/topics/impala_authorization.xml index 4e4a243..39932f6 100644 --- a/docs/topics/impala_authorization.xml +++ b/docs/topics/impala_authorization.xml @@ -65,12 +65,23 @@ under the License. <conbody> <p> - Privileges can be granted on different objects in the schema. Any privilege that can be granted is - associated with a level in the object hierarchy. If a privilege is granted on a container object in the - hierarchy, the child object automatically inherits it. This is the same privilege model as Hive and other - database systems such as MySQL. + Privileges can be granted on different objects in the schema. Any privilege that can be + granted is associated with a level in the object hierarchy. If a privilege is granted on + a parent object in the hierarchy, the child object automatically inherits it. This is + the same privilege model as Hive and other database systems. + </p> + + <p> + The objects in the Impala schema hierarchy are: </p> +<codeblock>Server + URI + Database + Table + Column +</codeblock> + <p rev="2.3.0 collevelauth"> The object hierarchy for Impala covers Server, URI, Database, Table, and Column. (The Table privileges apply to views as well; anywhere you specify a table name, you can specify a view name instead.) @@ -81,63 +92,7 @@ under the License. in a table. </p> - <p> - A restricted set of privileges determines what you can do with each object: - </p> - - <dl> - <dlentry id="select_priv"> - - <dt> - SELECT privilege - </dt> - - <dd> - Lets you read data from a table or view, for example with the <codeph>SELECT</codeph> statement, the - <codeph>INSERT...SELECT</codeph> syntax, or <codeph>CREATE TABLE...LIKE</codeph>. Also required to - issue the <codeph>DESCRIBE</codeph> statement or the <codeph>EXPLAIN</codeph> statement for a query - against a particular table. Only objects for which a user has this privilege are shown in the output - for <codeph>SHOW DATABASES</codeph> and <codeph>SHOW TABLES</codeph> statements. The - <codeph>REFRESH</codeph> statement and <codeph>INVALIDATE METADATA</codeph> statements only access - metadata for tables for which the user has this privilege. - </dd> - - </dlentry> - - <dlentry id="insert_priv"> - - <dt> - INSERT privilege - </dt> - - <dd> - Lets you write data to a table. Applies to the <codeph>INSERT</codeph> and <codeph>LOAD DATA</codeph> - statements. - </dd> - - </dlentry> - - <dlentry id="all_priv"> - - <dt> - ALL privilege - </dt> - - <dd> - Lets you create or modify the object. Required to run DDL statements such as <codeph>CREATE - TABLE</codeph>, <codeph>ALTER TABLE</codeph>, or <codeph>DROP TABLE</codeph> for a table, - <codeph>CREATE DATABASE</codeph> or <codeph>DROP DATABASE</codeph> for a database, or <codeph>CREATE - VIEW</codeph>, <codeph>ALTER VIEW</codeph>, or <codeph>DROP VIEW</codeph> for a view. Also required for - the URI of the <q>location</q> parameter for the <codeph>CREATE EXTERNAL TABLE</codeph> and - <codeph>LOAD DATA</codeph> statements. -<!-- Have to think about the best wording, how often to repeat, how best to conref this caveat. - You do not actually code the keyword <codeph>ALL</codeph> in the policy file; instead you use - <codeph>action=*</codeph> or shorten the right-hand portion of the rule. - --> - </dd> - - </dlentry> - </dl> + <p conref="../shared/impala_common.xml#common/sentry_privileges_objects"/> <p> Privileges can be specified for a table or view before that object actually exists. If you do not have @@ -145,6 +100,30 @@ under the License. not. </p> + <note> + <p> + Although this document refers to the <codeph>ALL</codeph> privilege, currently if you + use the policy file mode, you do not use the actual keyword <codeph>ALL</codeph> in + the policy file. When you code role entries in the policy file: + </p> + <ul> + <li> + To specify the <codeph>ALL</codeph> privilege for a server, use a role like + <codeph>server=<varname>server_name</varname></codeph>. + </li> + + <li> + To specify the <codeph>ALL</codeph> privilege for a database, use a role like + <codeph>server=<varname>server_name</varname>->db=<varname>database_name</varname></codeph>. + </li> + + <li> + To specify the <codeph>ALL</codeph> privilege for a table, use a role like + <codeph>server=<varname>server_name</varname>->db=<varname>database_name</varname>->table=<varname>table_name</varname>->action=*</codeph>. + </li> + </ul> + </note> + <p> Originally, privileges were encoded in a policy file, stored in HDFS. This mode of operation is still an option, but the emphasis of privilege management is moving towards being SQL-based. Although currently @@ -176,17 +155,21 @@ under the License. <ul> <li> - The <codeph>-server_name</codeph> option turns on Sentry authorization for Impala. The authorization - rules refer to a symbolic server name, and you specify the name to use as the argument to the - <codeph>-server_name</codeph> option. + <codeph>-server_name</codeph>: Turns on Sentry authorization for Impala. The + authorization rules refer to a symbolic server name, and you specify the same name to + use as the argument to the <codeph>-server_name</codeph> option for all + <cmdname>impalad</cmdname> nodes in the cluster. + <p> + Starting in Impala 1.4.0 and higher, if you specify just + <codeph>-server_name</codeph> without <codeph>-authorization_policy_file</codeph>, + Impala uses the Sentry service for authorization. + </p> </li> - <li rev="1.4.0"> - If you specify just <codeph>-server_name</codeph>, Impala uses the Sentry service for authorization, - relying on the results of <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements issued through - Hive. (This mode of operation is available in Impala 1.4.0 and higher.) Prior to Impala 1.4.0, or if you - want to continue storing privilege rules in the policy file, also specify the - <codeph>-authorization_policy_file</codeph> option as in the following item. + <li> + <codeph>-sentry_config</codeph>: Specifies the local path to the + <codeph>sentry-site.xml</codeph> configuration file. This setting is required to + enable authorization. </li> <li> @@ -218,6 +201,14 @@ under the License. </codeblock> <p> + The preceding examples set up a symbolic name of <codeph>server1</codeph> to refer to + the current instance of Impala. Specify the symbolic name for the + <codeph>sentry.hive.server</codeph> property in the <filepath>sentry-site.xml</filepath> + configuration file for Hive, as well as in the <codeph>-server_name</codeph> option for + <cmdname>impalad</cmdname>. + </p> + + <p> The preceding examples set up a symbolic name of <codeph>server1</codeph> to refer to the current instance of Impala. This symbolic name is used in the following ways: </p> @@ -307,7 +298,44 @@ report_generator = server=server1->db=reporting_db->table=*->action=SEL to security policies, restart all Impala daemons to pick up the changes immediately. </p> - <p outputclass="toc inpage"/> + <p> + URIs represent the file paths you specify as part of statements such as <codeph>CREATE + EXTERNAL TABLE</codeph> and <codeph>LOAD DATA</codeph>. Typically, you specify what look + like UNIX paths, but these locations can also be prefixed with <codeph>hdfs://</codeph> + to make clear that they are really URIs. To set privileges for a URI, specify the name + of a directory, and the privilege applies to all the files in that directory and any + directories underneath it. + </p> + + <p> + URIs must start with <codeph>hdfs://</codeph>, <codeph>s3a://</codeph>, + <codeph>adl://</codeph>, or <codeph>file://</codeph>. If a URI starts with an absolute + path, the path will be appended to the default filesystem prefix. For example, if you + specify: +<codeblock> +GRANT ALL ON URI '/tmp'; +</codeblock> + The above statement effectively becomes the following where the default filesystem is + HDFS. +<codeblock> +GRANT ALL ON URI 'hdfs://localhost:20500/tmp'; +</codeblock> + </p> + + <p> + When defining URIs for HDFS, you must also specify the NameNode. For example: +<codeblock>GRANT ALL ON URI file:///path/to/dir TO <role> +GRANT ALL ON URI hdfs://namenode:port/path/to/dir TO <role></codeblock> + <note type="warning"> + <p> + Because the NameNode host and port must be specified, it is strongly recommended + that you use High Availability (HA). This ensures that the URI will remain constant + even if the NameNode changes. For example: + </p> +<codeblock>GRANT ALL ON URI hdfs://ha-nn-uri/path/to/dir TO <role></codeblock> + </note> + </p> + </conbody> <concept id="security_policy_file_details"> @@ -520,14 +548,15 @@ student = server=server1->db=training->table=lesson_*->action=SELECT <codeblock></codeblock> -</example> - -<example id="sec_ex_superuser_single_table"> -<title>A User with Full Privileges for a Specific Table</title> - <p> - If a user has <codeph>SELECT</codeph> privilege for a table, they can query, describe, or explain queries for - that table. - </p> + <li> + The <codeph>staging_dir</codeph> role can specify the HDFS path + <filepath>/user/impala-user/external_data</filepath> with the <codeph>LOAD + DATA</codeph> statement. When Impala queries or loads data files, it operates on + all the files in that directory, not just a single file, so any Impala + <codeph>LOCATION</codeph> parameters refer to a directory rather than an + individual file. + </li> + </ul> <codeblock></codeblock> </example> @@ -564,33 +593,10 @@ student = server=server1->db=training->table=lesson_*->action=SELECT </li> <li> - The <codeph>staging_dir</codeph> role lets us specify the HDFS path - <filepath>/user/username/external_data</filepath> with the <codeph>LOAD DATA</codeph> statement. - Remember, when Impala queries or loads data files, it operates on all the files in that directory, - not just a single file, so any Impala <codeph>LOCATION</codeph> parameters refer to a directory - rather than an individual file. - </li> - - <li> - We included the IP address and port of the Hadoop name node in the HDFS URI of the - <codeph>staging_dir</codeph> rule. We found those details in - <filepath>/etc/hadoop/conf/core-site.xml</filepath>, under the <codeph>fs.default.name</codeph> - element. That is what we use in any roles that specify URIs (that is, the locations of directories in - HDFS). - </li> - - <li> - We start this example after the table <codeph>external_table.sample</codeph> is already created. In - the policy file for the example, we have already taken away the <codeph>external_table_admin</codeph> - role from the <codeph>username</codeph> group, and replaced it with the lesser-privileged - <codeph>external_table</codeph> role. - </li> - - <li> - We assign privileges to a subdirectory underneath <filepath>/user/username</filepath> in HDFS, - because such privileges also apply to any subdirectories underneath. If we had assigned privileges to - the parent directory <filepath>/user/username</filepath>, it would be too likely to mess up other - files by specifying a wrong location by mistake. + Members of the <codeph>impala_users</codeph> group have the + <codeph>instructor</codeph> role and so can create, insert into, and query any + tables in the <codeph>training</codeph> database, but cannot create or drop the + database itself. </li> <li> @@ -705,15 +711,14 @@ ERROR: AuthorizationException: User 'username' does not have privileges to acces with sensitive information, then create a view that only exposes the non-confidential columns. </p> -<codeblock>[localhost:21000] > create table sensitive_info - > ( - > name string, - > address string, - > credit_card string, - > taxpayer_id string - > ); -[localhost:21000] > create view name_address_view as select name, address from sensitive_info; -</codeblock> + <note rev="1.4.0"> + In <ph rev="upstream">CDH 5</ph> and higher, <ph + rev="upstream">Cloudera</ph> + recommends managing privileges through SQL statements, as described in + <xref + href="impala_authorization.xml#sentry_service"/>. If you are still using + policy files, plan to migrate to the new approach some time in the future. + </note> <p> Then the following policy file specifies read-only privilege for that view, without authorizing access @@ -771,15 +776,28 @@ view_only_privs = server=server1->db=reports->table=name_address_view-> </li> </ul> -<codeblock>[groups] -supergroup = training_sysadmin -employee = instructor -visitor = student - -[roles] -training_sysadmin = server=server1->db=training -instructor = server=server1->db=training->table=*->action=* -student = server=server1->db=training->table=*->action=SELECT + <p> + In the <codeph>[roles]</codeph> section, you a set of roles. For each role, you + specify precisely the set of privileges is available. That is, which objects users + with that role can access, and what operations they can perform on those objects. This + is the lowest-level category of security information; the other sections in the policy + file map the privileges to higher-level divisions of groups and users. In the + <codeph>[groups]</codeph> section, you specify which roles are associated with which + groups. The group and usernames correspond to Linux groups and users on the server + where the <cmdname>impalad</cmdname> daemon runs. The privileges are specified using + patterns like: +<codeblock>server=<varname>server_name</varname>->db=<varname>database_name</varname>->table=<varname>table_name</varname>->action=SELECT +server=<varname>server_name</varname>->db=<varname>database_name</varname>->table=t<varname>able_name</varname>->action=CREATE +server=<varname>server_name</varname>->db=<varname>database_name</varname>->table=<varname>table_name</varname>->action=ALL +</codeblock> + For the <varname>server_name</varname> value, substitute the same symbolic name you + specify with the <cmdname>impalad</cmdname> <codeph>-server_name</codeph> option. You + can use <codeph>*</codeph> wildcard characters at each level of the privilege + specification to allow access to all such objects. For example: +<codeblock>server=impala-host.example.com->db=default->table=t1->action=SELECT +server=impala-host.example.com->db=*->table=*->action=CREATE +server=impala-host.example.com->db=*->table=audit_log->action=SELECT +server=impala-host.example.com->db=default->table=t1->action=* </codeblock> </example> http://git-wip-us.apache.org/repos/asf/impala/blob/4ff9f5f3/docs/topics/impala_grant.xml ---------------------------------------------------------------------- diff --git a/docs/topics/impala_grant.xml b/docs/topics/impala_grant.xml index 956a458..bdc71db 100644 --- a/docs/topics/impala_grant.xml +++ b/docs/topics/impala_grant.xml @@ -74,7 +74,7 @@ GRANT <varname>privilege</varname> ON <varname>object_type</varname> <varname>ob <p> The <codeph>WITH GRANT OPTION</codeph> clause allows members of the specified role to issue <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> - statements for those same privileges Hence, if a role has the + statements for those same privileges. Hence, if a role has the <codeph>ALL</codeph> privilege on a database and the <codeph>WITH GRANT OPTION</codeph> set, users granted that role can execute <codeph>GRANT</codeph>/<codeph>REVOKE</codeph> statements only for that @@ -100,114 +100,7 @@ GRANT <varname>privilege</varname> ON <varname>object_type</varname> <varname>ob <codeph>URI</codeph> object. Finer-grained privileges mentioned below on a <codeph>URI</codeph> are not supported. </p> - - <p> - Starting in <keyword keyref="impala30_full"/>, finer grained privileges - are enforced as below.<simpletable frame="all" relcolwidth="1* 1* 1*" - id="simpletable_kmb_ppn_ndb"> - <sthead> - <stentry>Privilege</stentry> - <stentry>Scope</stentry> - <stentry>SQL Allowed to Execute</stentry> - </sthead> - <strow> - <stentry><codeph>REFRESH</codeph></stentry> - <stentry><codeph>SERVER</codeph></stentry> - <stentry><codeph>INVALIDATE METADATA</codeph> on all tables in all - databases<p><codeph>REFRESH</codeph> on all tables and functions - in all databases</p></stentry> - </strow> - <strow> - <stentry><codeph>REFRESH</codeph></stentry> - <stentry><codeph>DATABASE</codeph></stentry> - <stentry><codeph>INVALIDATE METADATA</codeph> on all tables in the - named database<p><codeph>REFRESH</codeph> on all tables and - functions in the named database</p></stentry> - </strow> - <strow> - <stentry><codeph>REFRESH</codeph></stentry> - <stentry><codeph>TABLE</codeph></stentry> - <stentry><codeph>INVALIDATE METADATA</codeph> on the named - table<p><codeph>REFRESH</codeph> on the named - table</p></stentry> - </strow> - <strow> - <stentry><codeph>CREATE</codeph></stentry> - <stentry><codeph>SERVER</codeph></stentry> - <stentry><codeph>CREATE DATABASE</codeph> on all - databases<p><codeph>CREATE TABLE</codeph> on all - tables</p></stentry> - </strow> - <strow> - <stentry><codeph>CREATE</codeph></stentry> - <stentry><codeph>DATABASE</codeph></stentry> - <stentry><codeph>CREATE TABLE</codeph> on all tables in the named - database</stentry> - </strow> - <strow> - <stentry><codeph>DROP</codeph></stentry> - <stentry><codeph>SERVER</codeph></stentry> - <stentry><codeph>DROP DATBASE</codeph> on all databases<p><codeph>DROP - TABLE</codeph> on all tables</p></stentry> - </strow> - <strow> - <stentry><codeph>DROP</codeph></stentry> - <stentry><codeph>DATABASE</codeph></stentry> - <stentry><codeph>DROP DATABASE</codeph> on the named - database<p><codeph>DROP TABLE</codeph> on all tables in the - named database</p></stentry> - </strow> - <strow> - <stentry><codeph>DROP</codeph></stentry> - <stentry><codeph>TABLE</codeph></stentry> - <stentry><codeph>DROP TABLE</codeph> on the named table</stentry> - </strow> - <strow> - <stentry><codeph>ALTER</codeph></stentry> - <stentry><codeph>SERVER</codeph></stentry> - <stentry><codeph>ALTER TABLE</codeph> on all tables</stentry> - </strow> - <strow> - <stentry><codeph>ALTER</codeph></stentry> - <stentry><codeph>DATABASE</codeph></stentry> - <stentry><codeph>ALTER TABLE</codeph> on the tables in the named - database</stentry> - </strow> - <strow> - <stentry><codeph>ALTER</codeph></stentry> - <stentry><codeph>TABLE</codeph></stentry> - <stentry><codeph>ALTER TABLE</codeph> on the named table</stentry> - </strow> - </simpletable> - </p> - - <p> - <note> - <p> - <ul> - <li> - <codeph>ALTER TABLE RENAME</codeph> requires the - <codeph>ALTER</codeph> privilege at the <codeph>TABLE</codeph> - level and the <codeph>CREATE</codeph> privilege at the - <codeph>DATABASE</codeph> level. - </li> - - <li> - <codeph>CREATE TABLE AS SELECT</codeph> requires the - <codeph>CREATE</codeph> privilege on the database that should - contain the new table and the <codeph>SELECT</codeph> privilege on - the tables referenced in the query portion of the statement. - </li> - - <li> - <codeph>COMPUTE STATS</codeph> requires the - <codeph>ALTER</codeph> and <codeph>SELECT</codeph> privileges on - the target table. - </li> - </ul> - </p> - </note> - </p> + <p conref="../shared/impala_common.xml#common/sentry_privileges_objects"/> <p conref="../shared/impala_common.xml#common/compatibility_blurb"/>
