Dear Wiki user, You have subscribed to a wiki page or wiki category on "Hadoop Wiki" for change notification.
The "Hive/AuthDev" page has been changed by HeYongqiang. http://wiki.apache.org/hadoop/Hive/AuthDev?action=diff&rev1=6&rev2=7 -------------------------------------------------- First try user name: - first try to deny this access by look up the deny tables by user name: - - 1. If there is an entry in 'user' that deny this access, return DENY - - 2. If there is an entry in 'db' that deny this access, return DENY - - 3. If there is an entry in 'table' that deny this access, return DENY - - 4. If there is an entry in 'column' that deny this access, return DENY - - Perform the above steps for each group/roles that the user belongs to. - - if deny failed, go through all privilege levels with the user name: - - 5. If there is an entry in 'user' that accept this access, return ACCEPT + 1. If there is an entry in 'user' that accept this access, return ACCEPT - 6. If there is an entry in 'db' that accept this access, return ACCEPT + 2. If there is an entry in 'db' that accept this access, return ACCEPT - 7. If there is an entry in 'table' that accept this access, return ACCEPT + 3. If there is an entry in 'table' that accept this access, return ACCEPT - 8. If there is an entry in 'column' that accept this access, return ACCEPT + 4. If there is an entry in 'column' that accept this access, return ACCEPT Second try the user's group/role names one by one until we get an ACCEPT. @@ -387, +373 @@ Authorization decision manager manages a set of authorization provider, and each provider can decide to accept or deny. And it is the decision manager to do the final decision. Can be vote based, or one -1 then deny, or one +1 then accept. Authorization provider decides whether to accept or deny an access based on his own information. + = 8. Metastore upgrade script for mysql = + + {{{ + -- + -- Table structure for table `ROLES` + -- + + DROP TABLE IF EXISTS `ROLES`; + CREATE TABLE `ROLES` ( + `ROLE_ID` bigint(20) NOT NULL, + `CREATE_TIME` int(11) NOT NULL, + `OWNER_NAME` varchar(128) character set latin1 collate latin1_bin default NULL, + `ROLE_NAME` varchar(128) character set latin1 collate latin1_bin default NULL, + PRIMARY KEY (`ROLE_ID`), + UNIQUE KEY `ROLEENTITYINDEX` (`ROLE_NAME`) + ) ENGINE=InnoDB DEFAULT CHARSET=latin1; + + + -- + -- Table structure for table `ROLE_MAP` + -- + + DROP TABLE IF EXISTS `ROLE_MAP`; + CREATE TABLE `ROLE_MAP` ( + `ROLE_GRANT_ID` bigint(20) NOT NULL, + `ADD_TIME` int(11) NOT NULL, + `GRANT_OPTION` smallint(6) NOT NULL, + `GRANTOR` varchar(128) character set latin1 collate latin1_bin default NULL, + `GRANTOR_TYPE` varchar(128) character set latin1 collate latin1_bin default NULL, + `PRINCIPAL_NAME` varchar(128) character set latin1 collate latin1_bin default NULL, + `PRINCIPAL_TYPE` varchar(128) character set latin1 collate latin1_bin default NULL, + `ROLE_ID` bigint(20) default NULL, + PRIMARY KEY (`ROLE_GRANT_ID`), + UNIQUE KEY `USERROLEMAPINDEX` (`PRINCIPAL_NAME`,`ROLE_ID`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `ROLE_MAP_N49` (`ROLE_ID`), + CONSTRAINT `ROLE_MAP_FK1` FOREIGN KEY (`ROLE_ID`) REFERENCES `ROLES` (`ROLE_ID`) + ) ENGINE=InnoDB DEFAULT CHARSET=latin1; + + -- + -- Table structure for table `GLOBAL_PRIVS` + -- + + DROP TABLE IF EXISTS `GLOBAL_PRIVS`; + CREATE TABLE `GLOBAL_PRIVS` ( + `USER_GRANT_ID` bigint(20) NOT NULL, + `CREATE_TIME` int(11) NOT NULL, + `GRANT_OPTION` smallint(6) NOT NULL, + `GRANTOR` varchar(128) character set latin1 collate latin1_bin default NULL, + `GRANTOR_TYPE` varchar(128) character set latin1 collate latin1_bin default NULL, + `PRINCIPAL_NAME` varchar(128) character set latin1 collate latin1_bin default NULL, + `PRINCIPAL_TYPE` varchar(128) character set latin1 collate latin1_bin default NULL, + `USER_PRIV` varchar(128) character set latin1 collate latin1_bin default NULL, + PRIMARY KEY (`USER_GRANT_ID`), + UNIQUE KEY `GLOBALPRIVILEGEINDEX` (`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`USER_PRIV`,`GRANTOR`,`GRANTOR_TYPE`) + ) ENGINE=InnoDB DEFAULT CHARSET=latin1; + + + -- + -- Table structure for table `DB_PRIVS` + -- + + DROP TABLE IF EXISTS `DB_PRIVS`; + CREATE TABLE `DB_PRIVS` ( + `DB_GRANT_ID` bigint(20) NOT NULL, + `CREATE_TIME` int(11) NOT NULL, + `DB_ID` bigint(20) default NULL, + `GRANT_OPTION` smallint(6) NOT NULL, + `GRANTOR` varchar(128) character set latin1 collate latin1_bin default NULL, + `GRANTOR_TYPE` varchar(128) character set latin1 collate latin1_bin default NULL, + `PRINCIPAL_NAME` varchar(128) character set latin1 collate latin1_bin default NULL, + `PRINCIPAL_TYPE` varchar(128) character set latin1 collate latin1_bin default NULL, + `DB_PRIV` varchar(128) character set latin1 collate latin1_bin default NULL, + PRIMARY KEY (`DB_GRANT_ID`), + UNIQUE KEY `DBPRIVILEGEINDEX` (`DB_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`DB_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `DB_PRIVS_N49` (`DB_ID`), + CONSTRAINT `DB_PRIVS_FK1` FOREIGN KEY (`DB_ID`) REFERENCES `DBS` (`DB_ID`) + ) ENGINE=InnoDB DEFAULT CHARSET=latin1; + + -- + -- Table structure for table `TBL_PRIVS` + -- + + DROP TABLE IF EXISTS `TBL_PRIVS`; + + CREATE TABLE `TBL_PRIVS` ( + `TBL_GRANT_ID` bigint(20) NOT NULL, + `CREATE_TIME` int(11) NOT NULL, + `GRANT_OPTION` smallint(6) NOT NULL, + `GRANTOR` varchar(128) character set latin1 collate latin1_bin default NULL, + `GRANTOR_TYPE` varchar(128) character set latin1 collate latin1_bin default NULL, + `PRINCIPAL_NAME` varchar(128) character set latin1 collate latin1_bin default NULL, + `PRINCIPAL_TYPE` varchar(128) character set latin1 collate latin1_bin default NULL, + `TBL_PRIV` varchar(128) character set latin1 collate latin1_bin default NULL, + `TBL_ID` bigint(20) default NULL, + PRIMARY KEY (`TBL_GRANT_ID`), + KEY `TBL_PRIVS_N49` (`TBL_ID`), + KEY `TABLEPRIVILEGEINDEX` (`TBL_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + CONSTRAINT `TBL_PRIVS_FK1` FOREIGN KEY (`TBL_ID`) REFERENCES `TBLS` (`TBL_ID`) + ) ENGINE=InnoDB DEFAULT CHARSET=latin1; + + -- + -- Table structure for table `TBL_COL_PRIVS` + -- + + DROP TABLE IF EXISTS `TBL_COL_PRIVS`; + CREATE TABLE `TBL_COL_PRIVS` ( + `TBL_COLUMN_GRANT_ID` bigint(20) NOT NULL, + `COLUMN_NAME` varchar(128) character set latin1 collate latin1_bin default NULL, + `CREATE_TIME` int(11) NOT NULL, + `GRANT_OPTION` smallint(6) NOT NULL, + `GRANTOR` varchar(128) character set latin1 collate latin1_bin default NULL, + `GRANTOR_TYPE` varchar(128) character set latin1 collate latin1_bin default NULL, + `PRINCIPAL_NAME` varchar(128) character set latin1 collate latin1_bin default NULL, + `PRINCIPAL_TYPE` varchar(128) character set latin1 collate latin1_bin default NULL, + `TBL_COL_PRIV` varchar(128) character set latin1 collate latin1_bin default NULL, + `TBL_ID` bigint(20) default NULL, + PRIMARY KEY (`TBL_COLUMN_GRANT_ID`), + KEY `TABLECOLUMNPRIVILEGEINDEX` (`TBL_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `TBL_COL_PRIVS_N49` (`TBL_ID`), + CONSTRAINT `TBL_COL_PRIVS_FK1` FOREIGN KEY (`TBL_ID`) REFERENCES `TBLS` (`TBL_ID`) + ) ENGINE=InnoDB DEFAULT CHARSET=latin1; + }}} + ------------ = HDFS Permission =
