1 角色管理命令

1.1 創建角色

創建一個新角色，需要 admin 用戶執行

CREATE ROLE role_name; --示例：創建名為bigdata_admin_role的角色 CREATE ROLE bigdata_admin_role； <!--如果沒有執行hive權限配置需要修改hive-site.xml文件，然后重新啟動--> <property> <name>hive.security.authorization.enabled</name> <value>true</value> </property> <property> <name>hive.security.authorization.createtable.owner.grants</name> <value>ALL</value> </property> <property> <name>hive.security.authorization.task.factory</name> <value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value> </property>

1.2 刪除角色

刪除一個角色，需要 admin 用戶執行

DROP ROLE role_name; --示例：刪除名為bigdata_admin_role的角色 DROP ROLE bigdata_admin_role

1.3 顯示當前角色

顯示用戶當前角色列表

SHOW CURRENT ROLES;

1.4 設定角色

如果指定了role_name，則該角色將成為當前角色中的唯一角色
將Role_Name設置為All將刷新當前角色的列表(在新角色被授予用戶的情況下)，并將其設置為默認的角色列表。
將Role_Name設置為None將從當前用戶中刪除所有當前角色。

SET ROLE (role_name|ALL|NONE);

1.5 顯示角色

列出所有當前存在的角色。
只有admin角色對此有特權。

SHOW ROLES;

2 權限管理

2.1 將角色賦權給其他角色/用戶/用戶組

即，其他角色/用戶/用戶組將擁有該角色所擁有的權限

賦權/撤銷語法

將一個或多個角色授予其他角色或用戶。
如果指定了“WITH ADMIN OPTION”，則用戶將獲得將該角色授予其他用戶/角色的權限。
如果授予語句最終在角色之間創建循環關系，則該命令將失敗并出現錯誤。

GRANT ROLE role_name [, role_name] ...TO principal_specification [, principal_specification] ...[ WITH ADMIN OPTION ];principal_specification:USER user| GROUP group| ROLE role--示例：將bigdata_admin_role角色的權限給到用戶bigdata_adminGRANT ROLE bigdata_admin_role TO USER bigdata_admin;--示例：將bigdata_admin_role角色的權限給到用戶組bigdata_admin_gGRANT ROLE bigdata_admin_role TO bigdata_admin_g;

從FROM子句中的用戶/角色中撤消角色的成員權限。

REVOKE [ADMIN OPTION FOR] role_name [, role_name] ...FROM principal_specification [, principal_specification] ... ;principal_specificationUSER user| GROUP group| ROLE role--示例：將bigdata_admin_role角色的權限從用戶bigdata_admin中移除GRANT ROLE bigdata_admin_role FROM USER bigdata_admin;--示例：將bigdata_admin_role角色的權限給從用戶組bigdata_admin_g中移除GRANT ROLE bigdata_admin_role FROM bigdata_admin_g;

2.2 將數據庫/表賦權給角色

對數據庫/表或視圖賦權，包括 ALL/ALTER/UPDATE/CREATE/DROP/INDEX/LOCK/SELECT/SHOW_DATABASE 權限，也可以通過指定某張表的那些列有哪些權限。

GRANTpriv_type [(column_list)][, priv_type [(column_list)]] ...[ON object_specification]TO principal_specification [, principal_specification] ...[WITH GRANT OPTION]REVOKE [GRANT OPTION FOR]priv_type [(column_list)][, priv_type [(column_list)]] ...[ON object_specification]FROM principal_specification [, principal_specification] ... REVOKE all on bigdata_db.test from REVOKE ALL PRIVILEGES, GRANT OPTIONFROM user [, user] ...priv_type:ALL | ALTER | UPDATE | CREATE | DROP| INDEX | LOCK | SELECT | SHOW_DATABASE object_specification:TABLE tbl_name| DATABASE db_nameprincipal_specification:USER user| GROUP group| ROLE role--示例：將數據庫bigdata_db的所有權限賦給bigdata_admin_role角色 GRANT ALL ON DATABASE bigdata_db TO ROLE bigdata_admin_role； --示例：將表bigdata_db.test的select權限賦給bigdata_read_role角色 GRANT SELECT ON TABLE bigdata_db.test TO ROLE bigdata_read_role； --示例：將表bigdata_db.test的select權限賦從bigdata_read_role角色移除 GRANT SELECT ON TABLE bigdata_db.test FROM ROLE role_read_cl；

如果授予用戶對表或視圖的WITH GRANT OPTION特權，則該用戶還可以賦權/撤消其他用戶的特權以及這些對象上的角色。

2.3 顯示權限

SHOW GRANT [principal_specification] ON (ALL | [TABLE] table_or_view_name);principal_specification: USER user| ROLE role

2.4 管理對象權限的示例

示例：創建用戶bigdata_admin并指定用戶組bigdata_admin_g，創建hive角色bigdata_admin_role，創建數據庫bigdata_db，指定bigdata_admin_role角色擁有bigdata_db所有權限，并將bigdata_admin_role的權限給到bigdata_admin_g用戶組：

#shell腳本內容：#1.創建一個‘用戶組’，bigdata_admin_g，語法:groupadd [用戶組名]groupadd bigdata_admin_g#2.創建一個‘用戶’，bigdata_admin指定用戶組為bigdata_admin_g，語法：useradd -m -g [用戶組名] [用戶名]useradd -m -g bigdata_admin_g bigdata_admin#3.檢查用戶組和用戶創建情況，語法：id [用戶名]id bigdata_admin#返回以下內容表示創建成功uid=1003(bigdata_admin) gid=1003(bigdata_admin_g) groups=1003(bigdata_admin_g)#4.創建Hadoop用戶路徑，設置路徑權限及空間大小hadoop fs -mkdir /user/bigdata_adminhadoop fs -chown bigdata_admin/bigdata_admin_g /user/bigdata_adminhadoop fs -chmod 711 /user/bigdata_adminhadoop fs -setfacl -R -m group:bigdata_admin_g:rwx /user/bigdata_adminhadoop fs -setfacl -R -m default:group:bigdata_admin_g:rwx /user/bigdata_adminhadoop fs -setfacl -R -m default:user::rwx /user/bigdata_adminhadoop fs -setfacl -R -m default::--- /user/bigdata_adminhadoop fs -setfacl -R -m default::--- /user/bigdata_adminhdfs dfsadmin -setSpaceQuota 10g /user/bigdata_admin --SQL腳本內容：--1.創建數據庫 bigdata_db,以下為SQL語法CREATE DATABASE bigdata_db;--2.創建名為bigdata_admin_role的角色CREATE ROLE bigdata_admin_role;--3.將數據庫bigdata_db的所有權限賦給bigdata_admin_role角色 GRANT ALL ON DATABASE bigdata_db TO ROLE bigdata_admin_role;--4.將bigdata_admin_role角色的權限給到bigdata_g，即，bigdata_g組內的用戶擁有操作數據庫bigdata_db的所有權限GRANT ROLE bigdata_admin_role TO GROUP bigdata_g;--5.將集群路徑所有權限賦權給bigdata_admin_role角色GRANT ALL ON URI 'hdfs://nameservice/user/bigdata' TO bigdata_admin_role;

示例：創建用戶bigdata_read并指定用戶組bigdata_read_g，創建hive角色bigdata_read_role，指定bigdata_read_role角色擁有bigdata_db的select權限，并將bigdata_read_role的權限給到bigdata_admin_g用戶組：

--SQL腳本內容：--1.創建名為bigdata_read_role的角色CREATE ROLE bigdata_read_role;--2.將數據庫bigdata_db的所有權限賦給bigdata_read_role角色 GRANT SELECT ON DATABASE bigdata_db TO ROLE bigdata_read_role;--3.將bigdata_read_role角色的權限給到bigdata_g，即，bigdata_g組內的用戶擁有操作數據庫bigdata_db的所有權限GRANT ROLE bigdata_read_role TO GROUP bigdata_g;

2.5 顯示角色授予

principal_name是用戶或角色的名稱。
列出已授予給定用戶或角色的所有角色。

SHOW ROLE GRANT (USER|ROLE|GROUP ) principal_name;

示例：

0: jdbc:hive2://localhost:10000> SHOW ROLE GRANT USER user1; +---------+---------------+----------------+----------+ | role | grant_option | grant_time | grantor | +---------+---------------+----------------+----------+ | public | false | 0 | | | role1 | false | 1398284083000 | uadmin | +---------+---------------+----------------+----------+

2.6 列出所有角色和屬于該角色的用戶

僅admin角色對此具有特權。

SHOW PRINCIPALS role_name;

示例：

0: jdbc:hive2://localhost:10000> SHOW PRINCIPALS role1; +-----------------+-----------------+---------------+----------+---------------+----------------+ | principal_name | principal_type | grant_option | grantor | grantor_type | grant_time | +-----------------+-----------------+---------------+----------+---------------+----------------+ | role2 | ROLE | false | uadmin | USER | 1398285926000 | | role3 | ROLE | true | uadmin | USER | 1398285946000 | | user1 | USER | false | uadmin | USER | 1398285977000 | +-----------------+-----------------+---------------+----------+---------------+----------------+

找出用戶ashutosh對表hivejiratable擁有的特權：

0: jdbc:hive2://localhost:10000> show grant user ashutosh on table hivejiratable; +-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor | +-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ | default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas | | default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas | +-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+

找出用戶ashutosh對所有對象具有的特權：

0: jdbc:hive2://localhost:10000> show grant user ashutosh on all; +-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor | +-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ | default | hivecontributors | | | ashutosh | USER | DELETE | false | 1398303576000 | thejas | | default | hivecontributors | | | ashutosh | USER | INSERT | false | 1398303576000 | thejas | | default | hivecontributors | | | ashutosh | USER | SELECT | false | 1398303576000 | thejas | | default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas | | default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas | +-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+

找出所有用戶對表hivejiratable擁有的特權：

0: jdbc:hive2://localhost:10000> show grant on table hivejiratable; +-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor | +-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ | default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas | | default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas | | default | hivejiratable | | | navis | USER | INSERT | false | 1398303650000 | thejas | | default | hivejiratable | | | navis | USER | SELECT | false | 1398303650000 | thejas | | default | hivejiratable | | | public | ROLE | SELECT | false | 1398303481000 | thejas | | default | hivejiratable | | | thejas | USER | DELETE | true | 1398303380000 | thejas | | default | hivejiratable | | | thejas | USER | INSERT | true | 1398303380000 | thejas | | default | hivejiratable | | | thejas | USER | SELECT | true | 1398303380000 | thejas | | default | hivejiratable | | | thejas | USER | UPDATE | true | 1398303380000 | thejas | +-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+

總結

以上是生活随笔為你收集整理的hive创建角色并赋权的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。