You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ta...@apache.org on 2018/07/04 01:07:47 UTC
[5/6] impala git commit: IMPALA-6883: [DOCS] Refactor
impala_authorization doc
IMPALA-6883: [DOCS] Refactor impala_authorization doc
Change-Id: I3df72adb25dcdcbc286934b048645f47d876b33d
Reviewed-on: http://gerrit.cloudera.org:8080/10786
Reviewed-by: Alex Rodoni <ar...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
Project: http://git-wip-us.apache.org/repos/asf/impala/repo
Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/4ff9f5f3
Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/4ff9f5f3
Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/4ff9f5f3
Branch: refs/heads/master
Commit: 4ff9f5f3d280607ca523652319c8691803c5db57
Parents: 30e82c6
Author: Alex Rodoni <ar...@cloudera.com>
Authored: Thu Jun 21 13:44:38 2018 -0700
Committer: Impala Public Jenkins <im...@cloudera.com>
Committed: Tue Jul 3 23:21:07 2018 +0000
----------------------------------------------------------------------
docs/shared/impala_common.xml | 867 ++++++++++++++----------------
docs/topics/impala_authorization.xml | 266 ++++-----
docs/topics/impala_grant.xml | 111 +---
3 files changed, 543 insertions(+), 701 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/impala/blob/4ff9f5f3/docs/shared/impala_common.xml
----------------------------------------------------------------------
diff --git a/docs/shared/impala_common.xml b/docs/shared/impala_common.xml
index 6faa9c1..4dcfffb 100644
--- a/docs/shared/impala_common.xml
+++ b/docs/shared/impala_common.xml
@@ -115,451 +115,388 @@ under the License.
nested topics at the end of this file.
</p>
- <table id="sentry_privileges_objects">
- <title>Valid privilege types and objects they apply to</title>
- <tgroup cols="2">
- <colspec colnum="1" colname="col1" colwidth="1*"/>
- <colspec colnum="2" colname="col2" colwidth="2*"/>
- <thead>
- <row>
- <entry><b>Privilege</b></entry>
- <entry><b>Object</b></entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry>INSERT</entry>
- <entry>DB, TABLE</entry>
- </row>
- <row>
- <entry>SELECT</entry>
- <entry>DB, TABLE, COLUMN</entry>
- </row>
- <row>
- <entry>ALL</entry>
- <entry>SERVER, TABLE, DB, URI</entry>
- </row>
- </tbody>
- </tgroup>
- </table>
-
- <table id="privileges_sql">
- <title>Privilege table for Hive & Impala operations</title>
- <tgroup cols="4">
- <colspec colnum="1" colname="col1" colwidth="1.31*"/>
- <colspec colnum="2" colname="col2" colwidth="1.17*"/>
- <colspec colnum="3" colname="col3" colwidth="1*"/>
- <colspec colname="newCol4" colnum="4" colwidth="1*"/>
- <thead>
- <row>
- <entry>Operation</entry>
- <entry>Scope</entry>
- <entry>Privileges Required</entry>
- <entry>URI</entry>
- </row>
- </thead>
- <tbody>
- <row id="create_database_privs">
- <entry>CREATE DATABASE</entry>
- <entry>SERVER</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row id="drop_database_privs">
- <entry>DROP DATABASE</entry>
- <entry>DATABASE</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row id="create_table_privs">
- <entry>CREATE TABLE</entry>
- <entry>DATABASE</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row id="drop_table_privs">
- <entry>DROP TABLE</entry>
- <entry>TABLE</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row id="create_view_privs">
- <entry>CREATE VIEW<p>-This operation is allowed if you have
- column-level <codeph>SELECT</codeph> access to the columns
- being used.</p></entry>
- <entry>DATABASE; SELECT on TABLE; </entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row>
- <entry>ALTER VIEW<p>-This operation is allowed if you have
- column-level <codeph>SELECT</codeph> access to the columns
- being used.</p></entry>
- <entry>VIEW/TABLE</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row id="drop_view_privs">
- <entry>DROP VIEW</entry>
- <entry>VIEW/TABLE</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row id="alter_table_add_columns_privs">
- <entry>ALTER TABLE .. ADD COLUMNS</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="alter_table_replace_columns_privs">
- <entry>ALTER TABLE .. REPLACE COLUMNS</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="alter_table_change_column_privs">
- <entry>ALTER TABLE .. CHANGE column</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="alter_table_rename_privs">
- <entry>ALTER TABLE .. RENAME</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="alter_table_set_tblproperties_privs">
- <entry>ALTER TABLE .. SET TBLPROPERTIES</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="alter_table_set_fileformat_privs">
- <entry>ALTER TABLE .. SET FILEFORMAT</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="alter_table_set_location_privs">
- <entry>ALTER TABLE .. SET LOCATION</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry>URI</entry>
- </row>
- <row id="alter_table_add_partition_privs">
- <entry>ALTER TABLE .. ADD PARTITION</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="alter_table_add_partition_location_privs">
- <entry>ALTER TABLE .. ADD PARTITION location</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry>URI</entry>
- </row>
- <row id="alter_table_drop_partition_privs">
- <entry>ALTER TABLE .. DROP PARTITION</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="alter_table_partition_set_fileformat_privs">
- <entry>ALTER TABLE .. PARTITION SET FILEFORMAT</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="show_create_table_privs">
- <entry>SHOW CREATE TABLE</entry>
- <entry>TABLE</entry>
- <entry>SELECT/INSERT</entry>
- <entry/>
- </row>
- <row id="show_partitions_privs">
- <entry>SHOW PARTITIONS</entry>
- <entry>TABLE</entry>
- <entry>SELECT/INSERT</entry>
- <entry/>
- </row>
- <row>
- <entry>SHOW TABLES<p>-Output includes all the tables for which
- the user has table-level privileges and all the tables for
- which the user has some column-level privileges.</p></entry>
- <entry>TABLE</entry>
- <entry>SELECT/INSERT</entry>
- <entry/>
- </row>
- <row>
- <entry>SHOW GRANT ROLE<p>-Output includes an additional field
- for any column-level privileges.</p></entry>
- <entry>TABLE</entry>
- <entry>SELECT/INSERT</entry>
- <entry/>
- </row>
- <row id="describe_table_privs">
- <entry>DESCRIBE TABLE<p>-Output shows <i>all</i> columns if the
- user has table level-privileges or <codeph>SELECT</codeph>
- privilege on at least one table column</p></entry>
- <entry>TABLE</entry>
- <entry>SELECT/INSERT</entry>
- <entry/>
- </row>
- <row id="load_data_privs">
- <entry>LOAD DATA</entry>
- <entry>TABLE</entry>
- <entry>INSERT</entry>
- <entry>URI</entry>
- </row>
- <row id="select_privs">
- <entry>SELECT<p>-You can grant the SELECT privilege on a view to
- give users access to specific columns of a table they do not
- otherwise have access to.</p><p>-See
- <xref keyref="sg_hive_sql"/>
- for details on allowed column-level
- operations.</p></entry>
- <entry>VIEW/TABLE; COLUMN</entry>
- <entry>SELECT</entry>
- <entry/>
- </row>
- <row id="insert_overwrite_table_privs">
- <entry>INSERT OVERWRITE TABLE</entry>
- <entry>TABLE</entry>
- <entry>INSERT</entry>
- <entry/>
- </row>
- <row id="create_table_as_select_privs">
- <entry>CREATE TABLE .. AS SELECT<p>-This operation is allowed if
- you have column-level <codeph>SELECT</codeph> access to the
- columns being used.</p></entry>
- <entry>DATABASE; SELECT on TABLE</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row id="use_privs">
- <entry>USE <dbName></entry>
- <entry>Any</entry>
- <entry/>
- <entry/>
- </row>
- <row id="create_function_privs">
- <entry>CREATE FUNCTION</entry>
- <entry>SERVER</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row id="alter_table_set_serdeproperties_privs">
- <entry>ALTER TABLE .. SET SERDEPROPERTIES</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row>
- <entry>ALTER TABLE .. PARTITION SET SERDEPROPERTIES</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="_privs">
- <entry namest="col1" nameend="newCol4"><b>Hive-Only
- Operations</b></entry>
- </row>
- <row id="insert_overwrite_directory_privs">
- <entry>INSERT OVERWRITE DIRECTORY</entry>
- <entry>TABLE</entry>
- <entry>INSERT</entry>
- <entry>URI</entry>
- </row>
- <row id="analyze_table_privs">
- <entry>Analyze TABLE</entry>
- <entry>TABLE</entry>
- <entry>SELECT + INSERT</entry>
- <entry/>
- </row>
- <row id="import_table_privs">
- <entry>IMPORT TABLE</entry>
- <entry>DATABASE</entry>
- <entry>ALL</entry>
- <entry>URI</entry>
- </row>
- <row id="export_table_privs">
- <entry>EXPORT TABLE</entry>
- <entry>TABLE</entry>
- <entry>SELECT</entry>
- <entry>URI</entry>
- </row>
- <row id="alter_table_touch_privs">
- <entry>ALTER TABLE TOUCH</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="alter_table_touch_partition_privs">
- <entry>ALTER TABLE TOUCH PARTITION</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="alter_table_clustered_by_privs">
- <entry>ALTER TABLE .. CLUSTERED BY SORTED BY</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="alter_table_enable_privs">
- <entry>ALTER TABLE .. ENABLE/DISABLE</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="alter_table_partition_enable_privs">
- <entry>ALTER TABLE .. PARTITION ENABLE/DISABLE</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row id="alter_table_partition_rename_privs">
- <entry>ALTER TABLE .. PARTITION.. RENAME TO PARTITION</entry>
- <entry>TABLE</entry>
- <entry>ALL on DATABASE</entry>
- <entry/>
- </row>
- <row>
- <entry>MSCK REPAIR TABLE</entry>
- <entry>TABLE</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row id="alter_database_privs">
- <entry>ALTER DATABASE</entry>
- <entry>DATABASE</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row id="describe_database_privs">
- <entry>DESCRIBE DATABASE</entry>
- <entry>DATABASE</entry>
- <entry>SELECT/INSERT</entry>
- <entry/>
- </row>
- <row id="show_columns_privs">
- <entry>SHOW COLUMNS<p>-Output for this operation filters columns
- to which the user does not have explicit
- <codeph>SELECT</codeph> access </p></entry>
- <entry>TABLE</entry>
- <entry>SELECT/INSERT</entry>
- <entry/>
- </row>
- <row id="create_index_privs">
- <entry>CREATE INDEX</entry>
- <entry>TABLE</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row id="drop_index_privs">
- <entry>DROP INDEX</entry>
- <entry>TABLE</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row id="show_indexes_privs">
- <entry>SHOW INDEXES</entry>
- <entry>TABLE</entry>
- <entry>SELECT/INSERT</entry>
- <entry/>
- </row>
- <row id="grant_privs">
- <entry>GRANT PRIVILEGE</entry>
- <entry>Allowed only for Sentry admin users</entry>
- <entry/>
- <entry/>
- </row>
- <row id="revoke_privs">
- <entry>REVOKE PRIVILEGE</entry>
- <entry>Allowed only for Sentry admin users</entry>
- <entry/>
- <entry/>
- </row>
- <row id="show_grants_privs">
- <entry>SHOW GRANTS</entry>
- <entry>Allowed only for Sentry admin users</entry>
- <entry/>
- <entry/>
- </row>
- <row id="show_tblproperties_privs">
- <entry>SHOW TBLPROPERTIES</entry>
- <entry>TABLE</entry>
- <entry>SELECT/INSERT</entry>
- <entry/>
- </row>
- <row id="describe_table_partition_privs">
- <entry>DESCRIBE TABLE .. PARTITION</entry>
- <entry>TABLE</entry>
- <entry>SELECT/INSERT</entry>
- <entry/>
- </row>
- <row id="add_jar_privs">
- <entry>ADD JAR</entry>
- <entry>Not Allowed</entry>
- <entry/>
- <entry/>
- </row>
- <row id="add_file_privs">
- <entry>ADD FILE</entry>
- <entry>Not Allowed</entry>
- <entry/>
- <entry/>
- </row>
- <row id="dfs_privs">
- <entry>DFS</entry>
- <entry>Not Allowed</entry>
- <entry/>
- <entry/>
- </row>
- <row>
- <entry namest="col1" nameend="newCol4"><b>Impala-Only
- Operations</b></entry>
- </row>
- <row id="explain_privs">
- <entry>EXPLAIN</entry>
- <entry>TABLE; COLUMN</entry>
- <entry>SELECT</entry>
- <entry/>
- </row>
- <row id="invalidate_metadata_privs">
- <entry>INVALIDATE METADATA</entry>
- <entry>SERVER</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row id="invalidate_metadata_table_privs">
- <entry>INVALIDATE METADATA <table name></entry>
- <entry>TABLE</entry>
- <entry>SELECT/INSERT</entry>
- <entry/>
- </row>
- <row id="refresh_privs">
- <entry>REFRESH <table name> or REFRESH <table name> PARTITION (<partition_spec>)</entry>
- <entry>TABLE</entry>
- <entry>SELECT/INSERT</entry>
- <entry/>
- </row>
- <row id="drop_function_privs">
- <entry>DROP FUNCTION</entry>
- <entry>SERVER</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- <row id="compute_stats_privs">
- <entry>COMPUTE STATS</entry>
- <entry>TABLE</entry>
- <entry>ALL</entry>
- <entry/>
- </row>
- </tbody>
- </tgroup>
- </table>
+ <p id="sentry_privileges_objects">The table below lists the minimum level
+ of privileges and the scope required to execute SQL statements in
+ <keyword keyref="impala30_full"/> and higher. The following notations
+ are used:<ul>
+ <li><b>ANY</b> denotes the <codeph>SELECT</codeph>,
+ <codeph>INSERT</codeph>, <codeph>CREATE</codeph>,
+ <codeph>ALTER</codeph>, <codeph>DROP</codeph>, <b><i>or</i></b>
+ <codeph>REFRESH</codeph> privilege.</li>
+ <li><b>ALL</b> privilege denotes the <codeph>SELECT</codeph>,
+ <codeph>INSERT</codeph>, <codeph>CREATE</codeph>,
+ <codeph>ALTER</codeph>, <codeph>DROP</codeph>, <b><i>and</i></b>
+ <codeph>REFRESH</codeph> privileges.</li>
+ <li>The parent levels of the specified scope are implicitly supported.
+ For example, if a privilege is listed with the
+ <codeph>TABLE</codeph> scope, the same privilege granted on
+ <codeph>DATABASE</codeph> and <codeph>SERVER</codeph> will allow
+ the user to execute the specified SQL statement.</li>
+ </ul><table id="sentry_privileges_objects_tab" frame="all" colsep="1"
+ rowsep="1">
+ <tgroup cols="3">
+ <colspec colnum="1" colname="col1"/>
+ <colspec colnum="2" colname="col2"/>
+ <colspec colnum="3" colname="col3"/>
+ <tbody>
+ <row>
+ <entry><b>SQL Statement</b></entry>
+ <entry><b>Privileges</b></entry>
+ <entry><b>Scope</b></entry>
+ </row>
+ <row>
+ <entry>SELECT</entry>
+ <entry>SELECT</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>WITH SELECT</entry>
+ <entry>SELECT</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>EXPLAIN SELECT</entry>
+ <entry>SELECT</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>INSERT</entry>
+ <entry>INSERT</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>EXPLAIN INSERT</entry>
+ <entry>INSERT</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>TRUNCATE</entry>
+ <entry>INSERT</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>LOAD</entry>
+ <entry>INSERT</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>ALL</entry>
+ <entry>URI</entry>
+ </row>
+ <row>
+ <entry>CREATE DATABASE</entry>
+ <entry>CREATE</entry>
+ <entry>SERVER</entry>
+ </row>
+ <row>
+ <entry>CREATE DATABASE LOCATION</entry>
+ <entry>CREATE</entry>
+ <entry>SERVER</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>ALL</entry>
+ <entry>URI</entry>
+ </row>
+ <row>
+ <entry>CREATE TABLE</entry>
+ <entry>CREATE</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry>CREATE TABLE LIKE</entry>
+ <entry>CREATE</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>CREATE TABLE AS SELECT</entry>
+ <entry>CREATE</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>INSERT</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>SELECT</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>EXPLAIN CREATE TABLE AS SELECT</entry>
+ <entry>CREATE</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>INSERT</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>SELECT</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>CREATE TABLE LOCATION</entry>
+ <entry>CREATE</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>ALL</entry>
+ <entry>URI</entry>
+ </row>
+ <row>
+ <entry>CREATE VIEW</entry>
+ <entry>CREATE</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>SELECT</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>ALTER DATABASE</entry>
+ <entry>ALTER</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry>ALTER TABLE</entry>
+ <entry>ALTER</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>ALTER TABLE SET LOCATION</entry>
+ <entry>ALTER</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>ALL</entry>
+ <entry>URI</entry>
+ </row>
+ <row>
+ <entry>ALTER TABLE RENAME</entry>
+ <entry>CREATE</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>ALTER</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>ALTER VIEW</entry>
+ <entry>ALTER</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>SELECT</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>ALTER VIEW RENAME</entry>
+ <entry>CREATE</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>ALTER</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>DROP DATABASE</entry>
+ <entry>DROP</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry>DROP TABLE</entry>
+ <entry>DROP</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>DROP VIEW</entry>
+ <entry>DROP</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>CREATE FUNCTION</entry>
+ <entry>CREATE</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>ALL</entry>
+ <entry>URI</entry>
+ </row>
+ <row>
+ <entry>DROP FUNCTION</entry>
+ <entry>DROP</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry>COMPUTE STATS</entry>
+ <entry>ALTER and SELECT</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>DROP STATS</entry>
+ <entry>ALTER</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>INVALIDATE METADATA</entry>
+ <entry>REFRESH</entry>
+ <entry>SERVER</entry>
+ </row>
+ <row>
+ <entry>INVALIDATE METADATA <table></entry>
+ <entry>REFRESH</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>REFRESH <table></entry>
+ <entry>REFRESH</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>REFRESH FUNCTIONS</entry>
+ <entry>REFRESH</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry>COMMENT ON DATABASE</entry>
+ <entry>ALTER</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry>COMMENT ON TABLE</entry>
+ <entry>ALTER</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>COMMENT ON VIEW</entry>
+ <entry>ALTER</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>DESCRIBE DATABASE</entry>
+ <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry>DESCRIBE <table/view></entry>
+ <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>USE</entry>
+ <entry>ANY</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>SHOW DATABASES</entry>
+ <entry>ANY</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>SHOW TABLES</entry>
+ <entry>ANY</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>SHOW FUNCTIONS</entry>
+ <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry>SHOW PARTITIONS</entry>
+ <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>SHOW TABLE STATS</entry>
+ <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>SHOW COLUMN STATS</entry>
+ <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>SHOW FILES</entry>
+ <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>SHOW CREATE TABLE</entry>
+ <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>SHOW CREATE VIEW</entry>
+ <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>SHOW CREATE FUNCTION</entry>
+ <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry>
+ <entry>DATABASE</entry>
+ </row>
+ <row>
+ <entry>SHOW RANGE PARTITIONS (Kudu only)</entry>
+ <entry>SELECT, INSERT, <b><i>or</i></b> REFRESH</entry>
+ <entry>TABLE</entry>
+ </row>
+ <row>
+ <entry>UPDATE (Kudu only)</entry>
+ <entry>ALL</entry>
+ <entry>SERVER</entry>
+ </row>
+ <row>
+ <entry>EXPLAIN UPDATE (Kudu only)</entry>
+ <entry>ALL</entry>
+ <entry>SERVER</entry>
+ </row>
+ <row>
+ <entry>UPSERT (Kudu only)</entry>
+ <entry>ALL</entry>
+ <entry>SERVER</entry>
+ </row>
+ <row>
+ <entry>WITH UPSERT (Kudu only)</entry>
+ <entry>ALL</entry>
+ <entry>SERVER</entry>
+ </row>
+ <row>
+ <entry>EXPLAIN UPSERT (Kudu only)</entry>
+ <entry>ALL</entry>
+ <entry>SERVER</entry>
+ </row>
+ <row>
+ <entry>DELETE (Kudu only)</entry>
+ <entry>ALL</entry>
+ <entry>SERVER</entry>
+ </row>
+ <row>
+ <entry>EXPLAIN DELETE (Kudu only)</entry>
+ <entry>ALL</entry>
+ <entry>SERVER</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table></p>
<p rev="IMPALA-2660" id="auth_to_local_instructions">
In <keyword keyref="impala26_full"/> and higher, Impala recognizes the <codeph>auth_to_local</codeph> setting,
@@ -590,29 +527,23 @@ under the License.
<b><ph id="title_sentry_debug">Debugging Failed Sentry Authorization Requests</ph></b>
</p>
- <p id="sentry_debug">
- Sentry logs all facts that lead up to authorization decisions at the debug level. If you do not understand
- why Sentry is denying access, the best way to debug is to temporarily turn on debug logging:
- <ul>
- <li>
- Add <codeph>log4j.logger.org.apache.sentry=DEBUG</codeph> to the <filepath>log4j.properties</filepath>
- file on each host in the cluster, in the appropriate configuration directory for each service.
- </li>
- </ul>
- Specifically, look for exceptions and messages such as:
-<codeblock xml:space="preserve">FilePermission server..., RequestPermission server...., result [true|false]</codeblock>
- which indicate each evaluation Sentry makes. The <codeph>FilePermission</codeph> is from the policy file,
- while <codeph>RequestPermission</codeph> is the privilege required for the query. A
- <codeph>RequestPermission</codeph> will iterate over all appropriate <codeph>FilePermission</codeph>
- settings until a match is found. If no matching privilege is found, Sentry returns <codeph>false</codeph>
- indicating <q>Access Denied</q> .
-<!--
-[1]
-Impala: Impala Daemon -> Advanced -> Impala Daemon Logging Safety Valve
-Hive: Hive Server 2 -> Advanced -> HiveServer2 Logging Safety Valve
-Search: Solr Server -> Advanced -> HiveServer2 Logging Safety Valve
--->
- </p>
+ <p id="sentry_debug"> Sentry logs all facts that lead up to authorization
+ decisions at the debug level. If you do not understand why Sentry is
+ denying access, the best way to debug is to temporarily turn on debug
+ logging: <ul>
+ <li> Add <codeph>log4j.logger.org.apache.sentry=DEBUG</codeph> to the
+ <filepath>log4j.properties</filepath> file on each host in the
+ cluster, in the appropriate configuration directory for each
+ service. </li>
+ </ul> Specifically, look for exceptions and messages such as:
+ <codeblock xml:space="preserve">FilePermission server..., RequestPermission server...., result [true|false]</codeblock>
+ which indicate each evaluation Sentry makes. The
+ <codeph>FilePermission</codeph> is from the policy file, while
+ <codeph>RequestPermission</codeph> is the privilege required for the
+ query. A <codeph>RequestPermission</codeph> will iterate over all
+ appropriate <codeph>FilePermission</codeph> settings until a match is
+ found. If no matching privilege is found, Sentry returns
+ <codeph>false</codeph> indicating <q>Access Denied</q>.</p>
</section>
http://git-wip-us.apache.org/repos/asf/impala/blob/4ff9f5f3/docs/topics/impala_authorization.xml
----------------------------------------------------------------------
diff --git a/docs/topics/impala_authorization.xml b/docs/topics/impala_authorization.xml
index 4e4a243..39932f6 100644
--- a/docs/topics/impala_authorization.xml
+++ b/docs/topics/impala_authorization.xml
@@ -65,12 +65,23 @@ under the License.
<conbody>
<p>
- Privileges can be granted on different objects in the schema. Any privilege that can be granted is
- associated with a level in the object hierarchy. If a privilege is granted on a container object in the
- hierarchy, the child object automatically inherits it. This is the same privilege model as Hive and other
- database systems such as MySQL.
+ Privileges can be granted on different objects in the schema. Any privilege that can be
+ granted is associated with a level in the object hierarchy. If a privilege is granted on
+ a parent object in the hierarchy, the child object automatically inherits it. This is
+ the same privilege model as Hive and other database systems.
+ </p>
+
+ <p>
+ The objects in the Impala schema hierarchy are:
</p>
+<codeblock>Server
+ URI
+ Database
+ Table
+ Column
+</codeblock>
+
<p rev="2.3.0 collevelauth">
The object hierarchy for Impala covers Server, URI, Database, Table, and Column. (The Table privileges apply to views as well;
anywhere you specify a table name, you can specify a view name instead.)
@@ -81,63 +92,7 @@ under the License.
in a table.
</p>
- <p>
- A restricted set of privileges determines what you can do with each object:
- </p>
-
- <dl>
- <dlentry id="select_priv">
-
- <dt>
- SELECT privilege
- </dt>
-
- <dd>
- Lets you read data from a table or view, for example with the <codeph>SELECT</codeph> statement, the
- <codeph>INSERT...SELECT</codeph> syntax, or <codeph>CREATE TABLE...LIKE</codeph>. Also required to
- issue the <codeph>DESCRIBE</codeph> statement or the <codeph>EXPLAIN</codeph> statement for a query
- against a particular table. Only objects for which a user has this privilege are shown in the output
- for <codeph>SHOW DATABASES</codeph> and <codeph>SHOW TABLES</codeph> statements. The
- <codeph>REFRESH</codeph> statement and <codeph>INVALIDATE METADATA</codeph> statements only access
- metadata for tables for which the user has this privilege.
- </dd>
-
- </dlentry>
-
- <dlentry id="insert_priv">
-
- <dt>
- INSERT privilege
- </dt>
-
- <dd>
- Lets you write data to a table. Applies to the <codeph>INSERT</codeph> and <codeph>LOAD DATA</codeph>
- statements.
- </dd>
-
- </dlentry>
-
- <dlentry id="all_priv">
-
- <dt>
- ALL privilege
- </dt>
-
- <dd>
- Lets you create or modify the object. Required to run DDL statements such as <codeph>CREATE
- TABLE</codeph>, <codeph>ALTER TABLE</codeph>, or <codeph>DROP TABLE</codeph> for a table,
- <codeph>CREATE DATABASE</codeph> or <codeph>DROP DATABASE</codeph> for a database, or <codeph>CREATE
- VIEW</codeph>, <codeph>ALTER VIEW</codeph>, or <codeph>DROP VIEW</codeph> for a view. Also required for
- the URI of the <q>location</q> parameter for the <codeph>CREATE EXTERNAL TABLE</codeph> and
- <codeph>LOAD DATA</codeph> statements.
-<!-- Have to think about the best wording, how often to repeat, how best to conref this caveat.
- You do not actually code the keyword <codeph>ALL</codeph> in the policy file; instead you use
- <codeph>action=*</codeph> or shorten the right-hand portion of the rule.
- -->
- </dd>
-
- </dlentry>
- </dl>
+ <p conref="../shared/impala_common.xml#common/sentry_privileges_objects"/>
<p>
Privileges can be specified for a table or view before that object actually exists. If you do not have
@@ -145,6 +100,30 @@ under the License.
not.
</p>
+ <note>
+ <p>
+ Although this document refers to the <codeph>ALL</codeph> privilege, currently if you
+ use the policy file mode, you do not use the actual keyword <codeph>ALL</codeph> in
+ the policy file. When you code role entries in the policy file:
+ </p>
+ <ul>
+ <li>
+ To specify the <codeph>ALL</codeph> privilege for a server, use a role like
+ <codeph>server=<varname>server_name</varname></codeph>.
+ </li>
+
+ <li>
+ To specify the <codeph>ALL</codeph> privilege for a database, use a role like
+ <codeph>server=<varname>server_name</varname>->db=<varname>database_name</varname></codeph>.
+ </li>
+
+ <li>
+ To specify the <codeph>ALL</codeph> privilege for a table, use a role like
+ <codeph>server=<varname>server_name</varname>->db=<varname>database_name</varname>->table=<varname>table_name</varname>->action=*</codeph>.
+ </li>
+ </ul>
+ </note>
+
<p>
Originally, privileges were encoded in a policy file, stored in HDFS. This mode of operation is still an
option, but the emphasis of privilege management is moving towards being SQL-based. Although currently
@@ -176,17 +155,21 @@ under the License.
<ul>
<li>
- The <codeph>-server_name</codeph> option turns on Sentry authorization for Impala. The authorization
- rules refer to a symbolic server name, and you specify the name to use as the argument to the
- <codeph>-server_name</codeph> option.
+ <codeph>-server_name</codeph>: Turns on Sentry authorization for Impala. The
+ authorization rules refer to a symbolic server name, and you specify the same name to
+ use as the argument to the <codeph>-server_name</codeph> option for all
+ <cmdname>impalad</cmdname> nodes in the cluster.
+ <p>
+ Starting in Impala 1.4.0 and higher, if you specify just
+ <codeph>-server_name</codeph> without <codeph>-authorization_policy_file</codeph>,
+ Impala uses the Sentry service for authorization.
+ </p>
</li>
- <li rev="1.4.0">
- If you specify just <codeph>-server_name</codeph>, Impala uses the Sentry service for authorization,
- relying on the results of <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements issued through
- Hive. (This mode of operation is available in Impala 1.4.0 and higher.) Prior to Impala 1.4.0, or if you
- want to continue storing privilege rules in the policy file, also specify the
- <codeph>-authorization_policy_file</codeph> option as in the following item.
+ <li>
+ <codeph>-sentry_config</codeph>: Specifies the local path to the
+ <codeph>sentry-site.xml</codeph> configuration file. This setting is required to
+ enable authorization.
</li>
<li>
@@ -218,6 +201,14 @@ under the License.
</codeblock>
<p>
+ The preceding examples set up a symbolic name of <codeph>server1</codeph> to refer to
+ the current instance of Impala. Specify the symbolic name for the
+ <codeph>sentry.hive.server</codeph> property in the <filepath>sentry-site.xml</filepath>
+ configuration file for Hive, as well as in the <codeph>-server_name</codeph> option for
+ <cmdname>impalad</cmdname>.
+ </p>
+
+ <p>
The preceding examples set up a symbolic name of <codeph>server1</codeph> to refer to the current instance
of Impala. This symbolic name is used in the following ways:
</p>
@@ -307,7 +298,44 @@ report_generator = server=server1->db=reporting_db->table=*->action=SEL
to security policies, restart all Impala daemons to pick up the changes immediately.
</p>
- <p outputclass="toc inpage"/>
+ <p>
+ URIs represent the file paths you specify as part of statements such as <codeph>CREATE
+ EXTERNAL TABLE</codeph> and <codeph>LOAD DATA</codeph>. Typically, you specify what look
+ like UNIX paths, but these locations can also be prefixed with <codeph>hdfs://</codeph>
+ to make clear that they are really URIs. To set privileges for a URI, specify the name
+ of a directory, and the privilege applies to all the files in that directory and any
+ directories underneath it.
+ </p>
+
+ <p>
+ URIs must start with <codeph>hdfs://</codeph>, <codeph>s3a://</codeph>,
+ <codeph>adl://</codeph>, or <codeph>file://</codeph>. If a URI starts with an absolute
+ path, the path will be appended to the default filesystem prefix. For example, if you
+ specify:
+<codeblock>
+GRANT ALL ON URI '/tmp';
+</codeblock>
+ The above statement effectively becomes the following where the default filesystem is
+ HDFS.
+<codeblock>
+GRANT ALL ON URI 'hdfs://localhost:20500/tmp';
+</codeblock>
+ </p>
+
+ <p>
+ When defining URIs for HDFS, you must also specify the NameNode. For example:
+<codeblock>GRANT ALL ON URI file:///path/to/dir TO <role>
+GRANT ALL ON URI hdfs://namenode:port/path/to/dir TO <role></codeblock>
+ <note type="warning">
+ <p>
+ Because the NameNode host and port must be specified, it is strongly recommended
+ that you use High Availability (HA). This ensures that the URI will remain constant
+ even if the NameNode changes. For example:
+ </p>
+<codeblock>GRANT ALL ON URI hdfs://ha-nn-uri/path/to/dir TO <role></codeblock>
+ </note>
+ </p>
+
</conbody>
<concept id="security_policy_file_details">
@@ -520,14 +548,15 @@ student = server=server1->db=training->table=lesson_*->action=SELECT
<codeblock></codeblock>
-</example>
-
-<example id="sec_ex_superuser_single_table">
-<title>A User with Full Privileges for a Specific Table</title>
- <p>
- If a user has <codeph>SELECT</codeph> privilege for a table, they can query, describe, or explain queries for
- that table.
- </p>
+ <li>
+ The <codeph>staging_dir</codeph> role can specify the HDFS path
+ <filepath>/user/impala-user/external_data</filepath> with the <codeph>LOAD
+ DATA</codeph> statement. When Impala queries or loads data files, it operates on
+ all the files in that directory, not just a single file, so any Impala
+ <codeph>LOCATION</codeph> parameters refer to a directory rather than an
+ individual file.
+ </li>
+ </ul>
<codeblock></codeblock>
</example>
@@ -564,33 +593,10 @@ student = server=server1->db=training->table=lesson_*->action=SELECT
</li>
<li>
- The <codeph>staging_dir</codeph> role lets us specify the HDFS path
- <filepath>/user/username/external_data</filepath> with the <codeph>LOAD DATA</codeph> statement.
- Remember, when Impala queries or loads data files, it operates on all the files in that directory,
- not just a single file, so any Impala <codeph>LOCATION</codeph> parameters refer to a directory
- rather than an individual file.
- </li>
-
- <li>
- We included the IP address and port of the Hadoop name node in the HDFS URI of the
- <codeph>staging_dir</codeph> rule. We found those details in
- <filepath>/etc/hadoop/conf/core-site.xml</filepath>, under the <codeph>fs.default.name</codeph>
- element. That is what we use in any roles that specify URIs (that is, the locations of directories in
- HDFS).
- </li>
-
- <li>
- We start this example after the table <codeph>external_table.sample</codeph> is already created. In
- the policy file for the example, we have already taken away the <codeph>external_table_admin</codeph>
- role from the <codeph>username</codeph> group, and replaced it with the lesser-privileged
- <codeph>external_table</codeph> role.
- </li>
-
- <li>
- We assign privileges to a subdirectory underneath <filepath>/user/username</filepath> in HDFS,
- because such privileges also apply to any subdirectories underneath. If we had assigned privileges to
- the parent directory <filepath>/user/username</filepath>, it would be too likely to mess up other
- files by specifying a wrong location by mistake.
+ Members of the <codeph>impala_users</codeph> group have the
+ <codeph>instructor</codeph> role and so can create, insert into, and query any
+ tables in the <codeph>training</codeph> database, but cannot create or drop the
+ database itself.
</li>
<li>
@@ -705,15 +711,14 @@ ERROR: AuthorizationException: User 'username' does not have privileges to acces
with sensitive information, then create a view that only exposes the non-confidential columns.
</p>
-<codeblock>[localhost:21000] > create table sensitive_info
- > (
- > name string,
- > address string,
- > credit_card string,
- > taxpayer_id string
- > );
-[localhost:21000] > create view name_address_view as select name, address from sensitive_info;
-</codeblock>
+ <note rev="1.4.0">
+ In <ph rev="upstream">CDH 5</ph> and higher, <ph
+ rev="upstream">Cloudera</ph>
+ recommends managing privileges through SQL statements, as described in
+ <xref
+ href="impala_authorization.xml#sentry_service"/>. If you are still using
+ policy files, plan to migrate to the new approach some time in the future.
+ </note>
<p>
Then the following policy file specifies read-only privilege for that view, without authorizing access
@@ -771,15 +776,28 @@ view_only_privs = server=server1->db=reports->table=name_address_view->
</li>
</ul>
-<codeblock>[groups]
-supergroup = training_sysadmin
-employee = instructor
-visitor = student
-
-[roles]
-training_sysadmin = server=server1->db=training
-instructor = server=server1->db=training->table=*->action=*
-student = server=server1->db=training->table=*->action=SELECT
+ <p>
+ In the <codeph>[roles]</codeph> section, you a set of roles. For each role, you
+ specify precisely the set of privileges is available. That is, which objects users
+ with that role can access, and what operations they can perform on those objects. This
+ is the lowest-level category of security information; the other sections in the policy
+ file map the privileges to higher-level divisions of groups and users. In the
+ <codeph>[groups]</codeph> section, you specify which roles are associated with which
+ groups. The group and usernames correspond to Linux groups and users on the server
+ where the <cmdname>impalad</cmdname> daemon runs. The privileges are specified using
+ patterns like:
+<codeblock>server=<varname>server_name</varname>->db=<varname>database_name</varname>->table=<varname>table_name</varname>->action=SELECT
+server=<varname>server_name</varname>->db=<varname>database_name</varname>->table=t<varname>able_name</varname>->action=CREATE
+server=<varname>server_name</varname>->db=<varname>database_name</varname>->table=<varname>table_name</varname>->action=ALL
+</codeblock>
+ For the <varname>server_name</varname> value, substitute the same symbolic name you
+ specify with the <cmdname>impalad</cmdname> <codeph>-server_name</codeph> option. You
+ can use <codeph>*</codeph> wildcard characters at each level of the privilege
+ specification to allow access to all such objects. For example:
+<codeblock>server=impala-host.example.com->db=default->table=t1->action=SELECT
+server=impala-host.example.com->db=*->table=*->action=CREATE
+server=impala-host.example.com->db=*->table=audit_log->action=SELECT
+server=impala-host.example.com->db=default->table=t1->action=*
</codeblock>
</example>
http://git-wip-us.apache.org/repos/asf/impala/blob/4ff9f5f3/docs/topics/impala_grant.xml
----------------------------------------------------------------------
diff --git a/docs/topics/impala_grant.xml b/docs/topics/impala_grant.xml
index 956a458..bdc71db 100644
--- a/docs/topics/impala_grant.xml
+++ b/docs/topics/impala_grant.xml
@@ -74,7 +74,7 @@ GRANT <varname>privilege</varname> ON <varname>object_type</varname> <varname>ob
<p> The <codeph>WITH GRANT OPTION</codeph> clause allows members of the
specified role to issue <codeph>GRANT</codeph> and <codeph>REVOKE</codeph>
- statements for those same privileges Hence, if a role has the
+ statements for those same privileges. Hence, if a role has the
<codeph>ALL</codeph> privilege on a database and the <codeph>WITH GRANT
OPTION</codeph> set, users granted that role can execute
<codeph>GRANT</codeph>/<codeph>REVOKE</codeph> statements only for that
@@ -100,114 +100,7 @@ GRANT <varname>privilege</varname> ON <varname>object_type</varname> <varname>ob
<codeph>URI</codeph> object. Finer-grained privileges mentioned below on
a <codeph>URI</codeph> are not supported.
</p>
-
- <p>
- Starting in <keyword keyref="impala30_full"/>, finer grained privileges
- are enforced as below.<simpletable frame="all" relcolwidth="1* 1* 1*"
- id="simpletable_kmb_ppn_ndb">
- <sthead>
- <stentry>Privilege</stentry>
- <stentry>Scope</stentry>
- <stentry>SQL Allowed to Execute</stentry>
- </sthead>
- <strow>
- <stentry><codeph>REFRESH</codeph></stentry>
- <stentry><codeph>SERVER</codeph></stentry>
- <stentry><codeph>INVALIDATE METADATA</codeph> on all tables in all
- databases<p><codeph>REFRESH</codeph> on all tables and functions
- in all databases</p></stentry>
- </strow>
- <strow>
- <stentry><codeph>REFRESH</codeph></stentry>
- <stentry><codeph>DATABASE</codeph></stentry>
- <stentry><codeph>INVALIDATE METADATA</codeph> on all tables in the
- named database<p><codeph>REFRESH</codeph> on all tables and
- functions in the named database</p></stentry>
- </strow>
- <strow>
- <stentry><codeph>REFRESH</codeph></stentry>
- <stentry><codeph>TABLE</codeph></stentry>
- <stentry><codeph>INVALIDATE METADATA</codeph> on the named
- table<p><codeph>REFRESH</codeph> on the named
- table</p></stentry>
- </strow>
- <strow>
- <stentry><codeph>CREATE</codeph></stentry>
- <stentry><codeph>SERVER</codeph></stentry>
- <stentry><codeph>CREATE DATABASE</codeph> on all
- databases<p><codeph>CREATE TABLE</codeph> on all
- tables</p></stentry>
- </strow>
- <strow>
- <stentry><codeph>CREATE</codeph></stentry>
- <stentry><codeph>DATABASE</codeph></stentry>
- <stentry><codeph>CREATE TABLE</codeph> on all tables in the named
- database</stentry>
- </strow>
- <strow>
- <stentry><codeph>DROP</codeph></stentry>
- <stentry><codeph>SERVER</codeph></stentry>
- <stentry><codeph>DROP DATBASE</codeph> on all databases<p><codeph>DROP
- TABLE</codeph> on all tables</p></stentry>
- </strow>
- <strow>
- <stentry><codeph>DROP</codeph></stentry>
- <stentry><codeph>DATABASE</codeph></stentry>
- <stentry><codeph>DROP DATABASE</codeph> on the named
- database<p><codeph>DROP TABLE</codeph> on all tables in the
- named database</p></stentry>
- </strow>
- <strow>
- <stentry><codeph>DROP</codeph></stentry>
- <stentry><codeph>TABLE</codeph></stentry>
- <stentry><codeph>DROP TABLE</codeph> on the named table</stentry>
- </strow>
- <strow>
- <stentry><codeph>ALTER</codeph></stentry>
- <stentry><codeph>SERVER</codeph></stentry>
- <stentry><codeph>ALTER TABLE</codeph> on all tables</stentry>
- </strow>
- <strow>
- <stentry><codeph>ALTER</codeph></stentry>
- <stentry><codeph>DATABASE</codeph></stentry>
- <stentry><codeph>ALTER TABLE</codeph> on the tables in the named
- database</stentry>
- </strow>
- <strow>
- <stentry><codeph>ALTER</codeph></stentry>
- <stentry><codeph>TABLE</codeph></stentry>
- <stentry><codeph>ALTER TABLE</codeph> on the named table</stentry>
- </strow>
- </simpletable>
- </p>
-
- <p>
- <note>
- <p>
- <ul>
- <li>
- <codeph>ALTER TABLE RENAME</codeph> requires the
- <codeph>ALTER</codeph> privilege at the <codeph>TABLE</codeph>
- level and the <codeph>CREATE</codeph> privilege at the
- <codeph>DATABASE</codeph> level.
- </li>
-
- <li>
- <codeph>CREATE TABLE AS SELECT</codeph> requires the
- <codeph>CREATE</codeph> privilege on the database that should
- contain the new table and the <codeph>SELECT</codeph> privilege on
- the tables referenced in the query portion of the statement.
- </li>
-
- <li>
- <codeph>COMPUTE STATS</codeph> requires the
- <codeph>ALTER</codeph> and <codeph>SELECT</codeph> privileges on
- the target table.
- </li>
- </ul>
- </p>
- </note>
- </p>
+ <p conref="../shared/impala_common.xml#common/sentry_privileges_objects"/>
<p conref="../shared/impala_common.xml#common/compatibility_blurb"/>