Dear Wiki user, You have subscribed to a wiki page or wiki category on "Hadoop Wiki" for change notification.
The "Hive/AuthDev" page has been changed by HeYongqiang. http://wiki.apache.org/hadoop/Hive/AuthDev?action=diff&rev1=1&rev2=2 -------------------------------------------------- + '''Index''' + <<TableOfContents>> = 1. Privilege = @@ -239, +241 @@ == 4.2 show grant == == 4.3 grant/revoke statement == + + {{{ GRANT priv_type [(column_list)] @@ -273, +277 @@ ON [object_type] priv_level FROM user [, user] ... + }}} + = 5. Authorization verification = == 5.1 USER/GROUP/ROLE == @@ -299, +305 @@ [ + {{{ + username, list of group names, @@ -307, +315 @@ list of roles that been directly granted groups that users belongs to + }}} + ]. + ''' Steps to authorize one access: ''' + + {{{ + First try user name: first try to deny this access by look up the deny tables by user name: - 1. If there is an entry in 'user' that deny this access, return DENY 2. If there is an entry in 'db' that deny this access, return DENY @@ -322, +335 @@ 4. If there is an entry in 'column' that deny this access, return DENY - - if deny failed, go through all privilege levels with the user name: - 5. If there is an entry in 'user' that accept this access, return ACCEPT 6. If there is an entry in 'db' that accept this access, return ACCEPT @@ -335, +345 @@ 8. If there is an entry in 'column' that accept this access, return ACCEPT - - Second try the user's group/role names one by one until we get an ACCEPT or DENY. If we get one DENY from one group/role, will DENY this access. - For each role/group, we do the same routine as we did for user name. + }}} - = 5.3 Examples = + == 5.3 Examples == 5.3.1 I want to grant everyone (new people may join at anytime) to @@ -390, +398 @@ ------------ = HDFS Permission = - The above has a STRONG assumption on the file layer security. Users can easily by-pass the security if the hdfs file permission is open to him. We hope we can be able to plug in external authorizations (like HDFS permission) easily to alter the authorization result or even the rule. + The above has a STRONG assumption on the file layer security. Users can easily by-pass the security if the hdfs file permission is open to him. We hope we can easily plug in external authorizations (like HDFS permission/Howl permission) to alter the authorization result or even the rule.
