Dear Wiki user, You have subscribed to a wiki page or wiki category on "Hadoop Wiki" for change notification.
The "Hive/AuthDev" page has been changed by NamitJain. http://wiki.apache.org/hadoop/Hive/AuthDev?action=diff&rev1=5&rev2=6 -------------------------------------------------- drop role - add a user to a role + grant a role to a user - remove a user from a role + revoke a role from a user === 3.1.2 role metadata === @@ -210, +210 @@ Create - Create temporary tables - - Ceate view + Create view Delete @@ -228, +226 @@ Show databases - show view - Super - - Update == 4.2 show grant == @@ -286, +280 @@ ROLE - GROUP is very similar to a role. And we support Group is because we may need to pass the group information to HDFS/Map-reduce. But role does not need to be a group. + GROUP is very similar to a role. And we support Group is because we may need to pass the group information to HDFS/Map-reduce. + + A role can also contain other roles and privileges - and they can be granted to users and groups. Role can be nested but not circular. + == 5.2 The verification steps == + + When a user logins to the system, he has a user name, one or few groups that he belongs to. + So it is + [ - In Oracle, a role groups several privileges and roles, so that they can be granted to and revoked from users simultaneously. A role must be enabled for a user before it can be used by the user. And in Oracle, there is role Authorization. Create role/Drop role requires CREATE ROLE system privilege to perform. - ] - - == 5.2 The verification steps == - - When a user logins to the system, he has a user name, one or few groups that he belongs to. And he also may be granted to some roles. - So it is - - [ {{{ @@ -308, +300 @@ list of group names, - list of roles that has been directly granted to himself, + list of privileges and roles that has been directly granted, - list of roles that been directly granted groups that users belongs to + list of privileges and roles that been directly granted to groups that users belongs to }}} @@ -332, +324 @@ 4. If there is an entry in 'column' that deny this access, return DENY + Perform the above steps for each group/roles that the user belongs to. + if deny failed, go through all privilege levels with the user name: 5. If there is an entry in 'user' that accept this access, return ACCEPT @@ -342, +336 @@ 8. If there is an entry in 'column' that accept this access, return ACCEPT - Second try the user's group/role names one by one until we get an ACCEPT or DENY. If we get one DENY from one group/role, will DENY this access. + Second try the user's group/role names one by one until we get an ACCEPT. For each role/group, we do the same routine as we did for user name. @@ -381, +375 @@ = 6. Where to add authorization in Hive = CliDriver and HiveServer. Basically they share the same code. If HiveServer invokes CliDriver, we can just add it into CliDriver. And we also need to make HiveServer be able to support multiple user/connections. + This still does not solve the problem if someone accesses the metastore directly (without going through Hive). = 7. Implementation =
