没有管理员权限的用户可以管理配置单元中的对象访问权限吗?
Can a user without admin rights manage object access privileges in hive?
我正在使用 hive 0.14,主要使用直线。
我不是管理员,但我希望创建团队可以使用的几个视图。
我们有一个通用的配置单元数据库,每个人都可以读写。如果我正在创建某些我不希望其他人删除或修改的 tables/views,我是否可以撤销其他人的 drop/write 访问权限?
对配置单元 tables 的访问取决于 HDFS 访问权限。
每当您在位于 db 的数据库中创建新 table tbl 时,都会创建一个新目录 db/tbl。
如果您想限制写入组对该目录的访问权限,请使用 hadoop fs -chmod,例如:
hadoop fs -chmod 750 db/tbl
如果您想找出 table 在数据库中的位置,您可以创建 table 而不指定位置,以及 运行 describe formated tbl。
您随时可以通过 运行ning hadoop fs -ls db
查看 table 的访问权限是什么
关于浏览量:
Although Storage Based Authorization can provide access control at the level of Databases, Tables and Partitions, it can not control authorization at finer levels such as columns and views because the access control provided by the file system is at the level of directory and files. A prerequisite for fine grained access control is a data server that is able to provide just the columns and rows that a user needs (or has) access to. In the case of file system access, the whole file is served to the user. HiveServer2 satisfies this condition, as it has an API that understands rows and columns (through the use of SQL), and is able to serve just the columns and rows that your SQL query asked for.
SQL Standards Based Authorization (introduced in Hive 0.13.0, HIVE-5837) can be used to enable fine grained access control. It is based on the SQL standard for authorization, and uses the familiar grant/revoke statements to control access. It needs to be enabled through HiveServer2 configuration.
Note that for Hive command line, SQL Standards Based Authorization is disabled. This is because secure access control is not possible for the Hive command line using an access control policy in Hive, because users have direct access to HDFS and so they can easily bypass the SQL standards based authorization checks or even disable it altogether. Disabling this avoids giving a false sense of security to users.
所以,简而言之,需要在配置中启用SQL Standards Based Authorization。
然后您将能够使用:REVOKE 浏览量。
我正在使用 hive 0.14,主要使用直线。
我不是管理员,但我希望创建团队可以使用的几个视图。
我们有一个通用的配置单元数据库,每个人都可以读写。如果我正在创建某些我不希望其他人删除或修改的 tables/views,我是否可以撤销其他人的 drop/write 访问权限?
对配置单元 tables 的访问取决于 HDFS 访问权限。
每当您在位于 db 的数据库中创建新 table tbl 时,都会创建一个新目录 db/tbl。
如果您想限制写入组对该目录的访问权限,请使用 hadoop fs -chmod,例如:
hadoop fs -chmod 750 db/tbl
如果您想找出 table 在数据库中的位置,您可以创建 table 而不指定位置,以及 运行 describe formated tbl。
您随时可以通过 运行ning hadoop fs -ls db
关于浏览量:
Although Storage Based Authorization can provide access control at the level of Databases, Tables and Partitions, it can not control authorization at finer levels such as columns and views because the access control provided by the file system is at the level of directory and files. A prerequisite for fine grained access control is a data server that is able to provide just the columns and rows that a user needs (or has) access to. In the case of file system access, the whole file is served to the user. HiveServer2 satisfies this condition, as it has an API that understands rows and columns (through the use of SQL), and is able to serve just the columns and rows that your SQL query asked for.
SQL Standards Based Authorization (introduced in Hive 0.13.0, HIVE-5837) can be used to enable fine grained access control. It is based on the SQL standard for authorization, and uses the familiar grant/revoke statements to control access. It needs to be enabled through HiveServer2 configuration.
Note that for Hive command line, SQL Standards Based Authorization is disabled. This is because secure access control is not possible for the Hive command line using an access control policy in Hive, because users have direct access to HDFS and so they can easily bypass the SQL standards based authorization checks or even disable it altogether. Disabling this avoids giving a false sense of security to users.
所以,简而言之,需要在配置中启用SQL Standards Based Authorization。
然后您将能够使用:REVOKE 浏览量。