我主要使用 beeline 使用 hive 0.14。
我不是管理员,但我希望创建团队可以使用的几个 View 。
我们有一个通用的配置单元数据库,每个人都可以读写。如果我正在创建某些我不希望其他人能够删除或修改的表/ View ,我是否可以撤销其他人的删除/写入访问权限?
最佳答案
对 Hive 表的访问取决于 HDFS 访问权限。
每当您在位于 db 的数据库中创建一个新表 tbl 时,都会创建一个新目录 db/tbl。
如果您想限制对该目录的写入组访问权限,请使用 hadoop fs -chmod,例如:
hadoop fs -chmod 750 db/tbl
如果你想找出表在数据库中的位置,你可以创建一个表而不指定位置,然后运行describe formated tbl。
您始终可以通过运行 hadoop fs -ls db
关于观点:
Although Storage Based Authorization can provide access control at the level of Databases, Tables and Partitions, it can not control authorization at finer levels such as columns and views because the access control provided by the file system is at the level of directory and files. A prerequisite for fine grained access control is a data server that is able to provide just the columns and rows that a user needs (or has) access to. In the case of file system access, the whole file is served to the user. HiveServer2 satisfies this condition, as it has an API that understands rows and columns (through the use of SQL), and is able to serve just the columns and rows that your SQL query asked for.
SQL Standards Based Authorization (introduced in Hive 0.13.0, HIVE-5837) can be used to enable fine grained access control. It is based on the SQL standard for authorization, and uses the familiar grant/revoke statements to control access. It needs to be enabled through HiveServer2 configuration.
Note that for Hive command line, SQL Standards Based Authorization is disabled. This is because secure access control is not possible for the Hive command line using an access control policy in Hive, because users have direct access to HDFS and so they can easily bypass the SQL standards based authorization checks or even disable it altogether. Disabling this avoids giving a false sense of security to users.
所以,简而言之,SQL Standards Based Authorization需要在配置中启用。
然后你就可以使用:REVOKE关于观点。
关于hadoop - 没有管理员权限的用户可以管理配置单元中的对象访问权限吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/40414800/