Cloudera Enterprise 5.16.x | Other versions

Hive SQL Syntax for Use with Sentry

Sentry permissions can be configured through Grant and Revoke statements issued either interactively or programmatically through the HiveServer2 SQL command line interface, Beeline (documentation available here). The syntax described below is very similar to the GRANT/REVOKE commands available in well-established relational database systems.

In HUE, the Sentry Admin that creates roles and grants privileges must belong to a group that has ALL privileges on the server. For example, you can create a role for the group that contains the hive or impala user, and grant ALL ON SERVER to that role:

CREATE ROLE <admin role>;
GRANT ALL ON SERVER <server1> TO ROLE <admin role>;
GRANT ROLE <admin role> TO GROUP <hive>;

Important:

When Sentry is enabled, you must use Beeline to execute Hive queries. Hive CLI is not supported with Sentry and must be disabled. See Disabling Hive CLI.
There are some differences in syntax between Hive and the corresponding Impala SQL statements. For the Impala syntax, see SQL Statements.

Column-level Authorization
CREATE ROLE Statement
DROP ROLE Statement
GRANT ROLE Statement
REVOKE ROLE Statement
GRANT <Privilege> Statement
GRANT <Privilege> ON URIs (HDFS and S3A)
REVOKE <Privilege> Statement
GRANT <Privilege> ... WITH GRANT OPTION
- WITH GRANT OPTION Example
SET ROLE Statement
SHOW Statement
Privileges
- CREATE
- REFRESH (Impala Only)
Example: Using Grant/Revoke Statements to Match an Existing Policy File

Column-level Authorization

Sentry allows you to assign the SELECT privilege on a subset of columns in a table.

The following command grants a role the SELECT privilege on a column:

GRANT SELECT <column name> ON TABLE <table name> TO ROLE <role name>;

The following command can be used to revoke the SELECT privilege on a column:

REVOKE SELECT <column name> ON TABLE <table name> FROM ROLE <role name>;

Any new columns added to a table will be inaccessible by default, until explicitly granted access.

Actions allowed for users with SELECT privilege on a column:

Users whose roles have been granted the SELECT privilege on columns only, can perform operations which explicitly refer to those columns. Some examples are:

```
SELECT <column name> FROM TABLE <table name>;
```
In this case, Sentry will first check to see if the user has the required privileges to access the table. It will then further check to see whether the user has the SELECT privilege to access the column(s).
```
SELECT COUNT <column name> FROM TABLE <table name>;
```
Users are also allowed to use the COUNT function to return the number of values in the column.

SELECT <column name> FROM TABLE <table name> WHERE <column name> <operator> GROUP BY <column name>;

The above command will work as long as you refer only to columns to which you already have access.

To list the column(s) to which the current user has SELECT access:

SHOW COLUMNS (FROM|IN) <table name> [(FROM|IN) <database name>];

Exceptions:

If a user has SELECT access to all columns in a table, the following command will work. Note that this is an exception, not the norm. In all other cases, SELECT on all columns does not allow you to perform table-level operations.
```
SELECT * FROM TABLE <table name>;
```
The DESCRIBE table command differs from the others, in that it does not filter out columns for which the user does not have SELECT access.
```
DESCRIBE <table name>;
```

Limitations:

Column-level privileges can only be applied to tables, not partitions or views.
HDFS-Sentry Sync: With HDFS-Sentry sync enabled, even if a user has been granted access to all columns of a table, they will not have access to the corresponding HDFS data files. This is because Sentry does not consider SELECT on all columns equivalent to explicitly being granted SELECT on the table.
Column-level access control for access from Spark SQL is not supported by the HDFS-Sentry plug-in.

CREATE ROLE Statement

The CREATE ROLE statement creates a role to which privileges can be granted. Privileges can be granted to roles, which can then be assigned to users. A user that has been assigned a role will only be able to exercise the privileges of that role.

Only users that have administrative privileges can create or drop roles. By default, the hive, impala and hue users have admin privileges in Sentry.

CREATE ROLE <role name>;

Note that role names are case-insensitive.

DROP ROLE Statement

The DROP ROLE statement can be used to remove a role from the database. Once dropped, the role will be revoked for all users to whom it was previously assigned. Queries that are already executing will not be affected. However, since Hive checks user privileges before executing each query, active user sessions in which the role has already been enabled will be affected.

DROP ROLE <role name>;

GRANT ROLE Statement

The GRANT ROLE statement can be used to grant roles to groups. Only Sentry admin users can grant roles to a group.

GRANT ROLE <role name> [, <role name>]
    TO GROUP <group name> [,GROUP <group name>]

Sentry only allows you to grant roles to groups that have alphanumeric characters and underscores (_) in the group name. If the group name contains a non-alphanumeric character that is not an underscore, you can put the group name in backticks (`) to execute the command. For example, Sentry will return an error for the following command:

GRANT ROLE test TO GROUP test-group;

To grant a role to this group, put the group name in backticks:

GRANT ROLE test TO GROUP `test-group`;

The following command, which contains an underscore, is also acceptable:

GRANT ROLE test TO GROUP test_group;

Operating system group names must be in lowercase letters. Although group names are case-insensitive to Sentry, Sentry modifies capital letters within group names to be lowercase. For example, Sentry will change TestGroup to testgroup. It is not possible to disable this normalization. Therefore, group information within the environment must be in lowercase letters.

REVOKE ROLE Statement

The REVOKE ROLE statement can be used to revoke roles from groups. Only Sentry admin users can revoke the role from a group.

REVOKE ROLE <role name> [, <role name>]
    FROM GROUP <group name> [,GROUP <group name>]

GRANT <Privilege> Statement

Use the GRANT <Privilege> statement to grant privileges on an object to a role. The statement uses the following syntax:

GRANT
    <privilege> [, <privilege> ]
    ON <object type> <object name>
    TO ROLE <role name> [,ROLE <role name>]

For example, you might enter the following statement:

GRANT SELECT ON TABLE feathered_dinosaurs TO ROLE archaeopteryx

The following table describes the privileges you can grant and the objects that they apply to:

Table 1. Privilege Types
Privilege	Object
ALL	Server, database, table, URI
CREATE	Server, database
INSERT	Server, database, table
REFRESH (Impala only)	Server, database, table
SELECT	Server, database, table, view, column

You can also grant the SELECT privilege on a specific column of a table with the following statement:

GRANT SELECT <column name> ON TABLE <table name> TO ROLE <role name>;

GRANT <Privilege> ON URIs (HDFS and S3A)

If the GRANT for Sentry URI does not specify the complete scheme, or the URI mentioned in Hive DDL statements does not have a scheme, Sentry automatically completes the URI by applying the default scheme based on the HDFS configuration provided in the fs.defaultFS property. Using the same HDFS configuration, Sentry can also auto-complete URIs in case the URI is missing a scheme and an authority component.

When a user attempts to access a URI, Sentry will check to see if the user has the required privileges. During the authorization check, if the URI is incomplete, Sentry will complete the URI using the default HDFS scheme. Note that Sentry does not check URI schemes for completion when they are being used to grant privileges. This is because users can GRANT privileges on URIs that do not have a complete scheme or do not already exist on the filesystem.

For example, in CDH 5.8 and later, the following CREATE EXTERNAL TABLE statement works even though the statement does not include the URI scheme.

GRANT ALL ON URI 'hdfs://namenode:XXX/path/to/table' TO ROLE <role name>;
CREATE EXTERNAL TABLE foo LOCATION 'namenode:XXX/path/to/table' TO ROLE <role name>;

Similarly, the following CREATE EXTERNAL TABLE statement works even though it is missing scheme and authority components.

GRANT ALL ON URI 'hdfs://namenode:XXX/path/to/table' TO ROLE <role name>;
CREATE EXTERNAL TABLE foo LOCATION '/path/to/table'

Since Sentry supports both HDFS and Amazon S3, in CDH 5.8 and later, Cloudera recommends that you specify the fully qualified URI in GRANT statements to avoid confusion. If the underlying storage is a mix of S3 and HDFS, the risk of granting the wrong privileges increases. The following are examples of fully qualified URIs:

HDFS: hdfs://host:port/path/to/hdfs/table
S3: s3a://host:port/path/to/s3/table

REVOKE <Privilege> Statement

You can use the REVOKE <Privilege> statement to revoke previously-granted privileges that a role has on an object.

REVOKE
    <privilege> [, <privilege> ]
    ON <object type> <object name>
    FROM ROLE <role name> [,ROLE <role name>]

For example, you can revoke previously-granted SELECT privileges on specific columns of a table with the following statement:

REVOKE SELECT <column name> ON TABLE <table name> FROM ROLE <role name>;

GRANT <Privilege> ... WITH GRANT OPTION

You can add the WITH GRANT OPTION clause to a GRANT <PRIVILEGE> statement to allow the role to grant and revoke the privilege to and from other roles.

The WITH GRANT OPTION clause uses the following syntax:

GRANT
    <privilege>
    ON <object type> <object name>
    TO ROLE <role name>
    WITH GRANT OPTION

When you use the WITH GRANT OPTION clause, the ability to grant and revoke privileges applies to the object container and all its children. For example, if you give GRANT privileges to a role at the database level, that role can grant and revoke privileges to and from the database and all the tables in the database.

Only a role with the GRANT option on a privilege can revoke that privilege from other roles. And you cannot revoke the GRANT privilege from a role without also revoking the privilege. To revoke the GRANT privilege, revoke the privilege that it applies to and then grant that privilege again without the WITH GRANT OPTION clause.

You can use the WITH GRANT OPTION clause with the following privileges:

ALL
CREATE
INSERT
REFRESH (Impala only)
SELECT

WITH GRANT OPTION Example

For example, if you grant a role the SELECT privilege with the following statement:

GRANT SELECT ON DATABASE coffee_database TO ROLE coffee_bean WITH GRANT OPTION

The coffee_bean role can grant SELECT privileges to other roles on the coffee_database and all the tables within that database.

When you revoke a privilege from a role, the GRANT privilege is also revoked from that role. For example, if you revoke SELECT privileges from the coffee_bean role with this command:

REVOKE SELECT ON DATABASE coffee_database FROM ROLE coffee_bean

The coffee_bean role can no longer grant SELECT privileges on the coffee_database or its tables.

To remove the WITH GRANT OPTION privilege from the coffee_bean role and still allow the role to have SELECT privileges on the coffee_database, you must run these two commands:

REVOKE SELECT ON coffee_database FROM ROLE coffee_bean;
        GRANT SELECT ON coffee_database TO ROLE coffee_bean;

SET ROLE Statement

Sentry enforces restrictions on queries based on the roles and privileges that the user has. A user can have multiple roles and a role can have multiple privileges.

The SET ROLE command enforces restrictions at the role level, not at the user level. When you use the SET ROLE command to make a role active, the role becomes current for the session. If a role is not current for the session, it is inactive and the user does not have the privileges assigned to that role. A user can only use the SET ROLE command for roles that have been granted to the user.

To list the roles that are current for the user, use the SHOW CURRENT ROLES command. By default, all roles that are assigned to the user are current.

You can use the following SET ROLE commands:

SET ROLE NONE: Makes all roles for the user inactive. When no role is current, the user does not have any privileges and cannot execute a query.
SET ROLE ALL: Makes all roles that have been granted to the user active. All privileges assigned to those roles are applied. When the user executes a query, the query is filtered based on those privileges.
SET ROLE role name: Makes a single role active. The privileges assigned to that role are applied. When the user executes a query, the query is filtered based on the privileges assigned to that role.

SHOW Statement

To list the database(s) for which the current user has database, table, or column-level access:
```
SHOW DATABASES;
```
To list the table(s) for which the current user has table or column-level access:
```
SHOW TABLES;
```

To list the column(s) to which the current user has SELECT access:

SHOW COLUMNS (FROM|IN) <table name> [(FROM|IN) <database name>];

To list all the roles in the system (only for sentry admin users):
```
SHOW ROLES;
```
To list all the roles in effect for the current user session:
```
SHOW CURRENT ROLES;
```
To list all the roles assigned to the given group name (only allowed for Sentry admin users and others users that are part of the group specified by group name):
```
SHOW ROLE GRANT GROUP group name;
```
The SHOW statement can also be used to list the privileges that have been granted to a role or all the grants given to a role for a particular object.
To list all the grants for the given <role name> (only allowed for Sentry admin users and other users that have been granted the role specified by <role name>). The following command will also list any column-level privileges:
```
SHOW GRANT ROLE <role name>;
```
To list all the grants for a role on the given <object name> (only allowed for Sentry admin users and other users that have been granted the role specified by <role name>). The following command will also list any column-level privileges:
```
SHOW GRANT ROLE <role name> on <object type> <object name>;
```

Privileges

Sentry supports the following privilege types:

CREATE

The CREATE privilege allows a user to create databases, tables, and functions. Note that to create a function, the user also must have ALL permissions on the JAR where the function is located, i.e. GRANT ALL ON URI is required.

You can grant the CREATE privilege on a server or database with the following commands, respectively:

GRANT CREATE ON SERVER <server name> TO ROLE <role name>
GRANT CREATE ON DATABASE <database name> TO ROLE <role name>

For example, you might enter the following command:

GRANT CREATE ON SERVER super_cool_server TO ROLE my_favorite_role

You can use the GRANT CREATE statement with the WITH GRANT OPTION clause. The WITH GRANT OPTION clause allows the granted role to grant the privilege to other roles on the system. See GRANT <Privilege> ... WITH GRANT OPTION for more information about how to use the clause.

The following table shows the CREATE privilege scope:

Scope	Available Operations
Server	Create databases, tables, views, and functions
Database	Create tables and views in the database
Table	Not allowed

REFRESH (Impala Only)

The REFRESH privilege allows a user to execute commands that update metadata information on Impala databases and tables, such as the REFRESH and INVALIDATE METADATA commands. Keep in mind that metadata invalidation or refresh in Impala is an expensive procedure that can cause performance issues if it is overused.

You can grant the REFRESH privilege on a server, table, or database with the following commands, respectively:

GRANT REFRESH ON SERVER <server name> TO ROLE <role name>
GRANT REFRESH ON DATABASE <database name> TO ROLE <role name>
GRANT REFRESH ON TABLE <table name> TO ROLE <role name>

You can use the GRANT REFRESH statement with the WITH GRANT OPTION clause. The WITH GRANT OPTION clause allows the granted role to grant the privilege to other roles on the system. See GRANT <Privilege> ... WITH GRANT OPTION for more information about how to use the clause.

The following table shows the REFRESH privilege scope:

Scope	Available Operations
Server	Invalidate the metadata of all tables on the server
Database	Invalidate the metadata of all tables in the database
Table	Invalidate and refresh the table metadata

Example: Using Grant/Revoke Statements to Match an Existing Policy File

Note: In the following example(s), server1 refers to an alias Sentry uses for the associated Hive service. It does not refer to any physical server. This alias can be modified using the hive.sentry.server property in hive-site.xml. If you are using Cloudera Manager, modify the Hive property, Server Name for Sentry Authorization, in the Service-Wide > Advanced category.

Here is a sample policy file:

[groups]
# Assigns each Hadoop group to its set of roles  
manager = analyst_role, junior_analyst_role 
analyst = analyst_role 
jranalyst = junior_analyst_role 
customers_admin = customers_admin_role 
admin = admin_role  

[roles] # The URIs below define a landing skid which
# the user can use to import or export data from the system. 
# Since the server runs as the user "hive" files in that directory 
# must either have the group hive and read/write set or 
# be world read/write. 
analyst_role = server=server1->db=analyst1, \     
    server=server1->db=jranalyst1->table=*->action=select         
    server=server1->uri=hdfs://ha-nn-uri/landing/analyst1 
junior_analyst_role = server=server1->db=jranalyst1, \     
    server=server1->uri=hdfs://ha-nn-uri/landing/jranalyst1  

# Implies everything on server1. 
admin_role = server=server1

The following sections show how you can use the new GRANT statements to assign privileges to roles (and assign roles to groups) to match the sample policy file above.

Grant privileges to analyst_role:

CREATE ROLE analyst_role;
GRANT ALL ON DATABASE analyst1 TO ROLE analyst_role;
GRANT SELECT ON DATABASE jranalyst1 TO ROLE analyst_role;
GRANT ALL ON URI 'hdfs://ha-nn-uri/landing/analyst1' \
TO ROLE analyst_role;

Grant privileges to junior_analyst_role:

CREATE ROLE junior_analyst_role;
GRANT ALL ON DATABASE jranalyst1 TO ROLE junior_analyst_role;
GRANT ALL ON URI 'hdfs://ha-nn-uri/landing/jranalyst1' \
TO ROLE junior_analyst_role;

Grant privileges to admin_role:

CREATE ROLE admin_role;
GRANT ALL ON SERVER server1 TO ROLE admin_role;

Grant roles to groups:

GRANT ROLE admin_role TO GROUP admin;
GRANT ROLE analyst_role TO GROUP analyst;
GRANT ROLE jranalyst_role TO GROUP jranalyst;

Page generated October 24, 2018.