You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by jo...@apache.org on 2019/07/18 17:57:22 UTC
[impala] 02/02: IMPALA-8493 IMPALA-8494: [DOCS] GRANT/REVOKE User
and Group
This is an automated email from the ASF dual-hosted git repository.
joemcdonnell pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
commit 6907528089abab78e7f07b3327eb7a9c5268db50
Author: Alex Rodoni <ar...@cloudera.com>
AuthorDate: Sat Jul 13 13:39:51 2019 -1000
IMPALA-8493 IMPALA-8494: [DOCS] GRANT/REVOKE User and Group
- Only when Ranger is used.
Change-Id: I99165bcffa76b8da983fdbf905df4035f4afafe9
Reviewed-on: http://gerrit.cloudera.org:8080/13861
Tested-by: Impala Public Jenkins <im...@cloudera.com>
Reviewed-by: Austin Nobis <an...@cloudera.com>
Reviewed-by: Alex Rodoni <ar...@cloudera.com>
---
docs/topics/impala_grant.xml | 34 +++++++++++++++++++++++++++-------
docs/topics/impala_revoke.xml | 30 ++++++++++++++++++++++++++----
2 files changed, 53 insertions(+), 11 deletions(-)
diff --git a/docs/topics/impala_grant.xml b/docs/topics/impala_grant.xml
index 2540767..669e112 100644
--- a/docs/topics/impala_grant.xml
+++ b/docs/topics/impala_grant.xml
@@ -46,16 +46,20 @@ under the License.
<conbody>
<p rev="2.0.0">
- The <codeph>GRANT</codeph> statement grants a privilege on a specified object to a role or
- grants a role to a group.
+ The <codeph>GRANT</codeph> statement grants a privilege on a specified object to a role,
+ to a user, or to a group. The statement is also used to grant a role to a group.
</p>
<p conref="../shared/impala_common.xml#common/syntax_blurb"/>
+ <p>
+ The following syntax is supported when Impala is using Sentry to manage authorization.
+ </p>
+
<codeblock rev="2.3.0 collevelauth">GRANT ROLE <varname>role_name</varname> TO GROUP <varname>group_name</varname>
GRANT <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname>
- TO [ROLE] <varname>roleName</varname>
+ TO [ROLE] <varname>role_name</varname>
[WITH GRANT OPTION]
<ph id="privileges" rev="3.0"><varname>privilege</varname> ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(<varname>column_name</varname>)</ph>
@@ -63,6 +67,18 @@ GRANT <varname>privilege</varname> ON <varname>object_type</varname> <varname>ob
</codeblock>
<p>
+ The following syntax is supported when Impala is using Ranger to manage authorization.
+ </p>
+
+<codeblock>GRANT <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname>
+ TO USER <varname>user_name</varname>
+GRANT <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname>
+ TO GROUP <varname>group_name</varname>
+
+<ph rev="3.0">privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(<varname>column_name</varname>)</ph>
+<ph rev="3.0">object_type ::= SERVER | URI | DATABASE | TABLE</ph></codeblock>
+
+ <p>
Typically, the <codeph><varname>object_name</varname></codeph> is an identifier. For URIs,
it is a string literal.
</p>
@@ -70,9 +86,12 @@ GRANT <varname>privilege</varname> ON <varname>object_type</varname> <varname>ob
<p conref="../shared/impala_common.xml#common/privileges_blurb"/>
<p>
- Only Sentry administrative users, users who belong to the groups defined in
- <codeph>sentry.service.admin.group</codeph> of the Sentry configuration can grant roles to
- a group.
+ Only administrative users (initially, a predefined set of users specified in the Sentry
+ service configuration file) can use this statement.
+ </p>
+
+ <p>
+ Only Sentry administrative users can grant roles to a group.
</p>
<p>
@@ -88,7 +107,8 @@ GRANT <varname>privilege</varname> ON <varname>object_type</varname> <varname>ob
<p rev="2.3.0 collevelauth">
The ability to grant or revoke <codeph>SELECT</codeph> privilege on specific columns is
available in <keyword keyref="impala23_full"/> and higher. See
- <xref keyref="sg_hive_sql"/> for details.
+ <xref
+ keyref="sg_hive_sql"/> for details.
</p>
<p>
diff --git a/docs/topics/impala_revoke.xml b/docs/topics/impala_revoke.xml
index c4f654e..bf6d0f0 100644
--- a/docs/topics/impala_revoke.xml
+++ b/docs/topics/impala_revoke.xml
@@ -47,11 +47,15 @@ under the License.
<p rev="2.0.0">
The <codeph>REVOKE</codeph> statement revokes roles or privileges on a specified object
- from groups.
+ from groups, roles, or users.
</p>
<p conref="../shared/impala_common.xml#common/syntax_blurb"/>
+ <p>
+ The following syntax is supported when Impala is using Senty to manage authorization.
+ </p>
+
<codeblock rev="2.3.0 collevelauth">REVOKE ROLE <varname>role_name</varname> FROM GROUP <varname>group_name</varname>
REVOKE [GRANT OPTION FOR] <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname>
@@ -63,6 +67,21 @@ REVOKE [GRANT OPTION FOR] <varname>privilege</varname> ON <varname>object_type</
<ph id="priv_objs" rev="3.0"><varname>object_type</varname> ::= SERVER | URI | DATABASE | TABLE</ph></codeblock>
<p>
+ The following syntax is supported when Impala is using Ranger to manage authorization.
+ </p>
+
+<codeblock>REVOKE <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname>
+ FROM USER <varname>user_name</varname>
+
+REVOKE <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname>
+ FROM GROUP <varname>group_name</varname>
+<ph rev="3.0">
+
+ privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(<varname>column_name</varname>)
+</ph>
+<ph rev="3.0">object_type ::= SERVER | URI | DATABASE | TABLE</ph></codeblock>
+
+ <p>
<b>Usage notes:</b>
</p>
@@ -106,9 +125,12 @@ REVOKE ALL ON SERVER FROM ROLE foo_role;</codeblock>
<p conref="../shared/impala_common.xml#common/privileges_blurb"/>
<p>
- Only Sentry administrative users, users who belong to the groups defined in
- <codeph>sentry.service.admin.group</codeph> of the Sentry configuration can revoke a role
- from a group.
+ Only administrative users (those with <codeph>ALL</codeph> privileges on the server,
+ defined in the Sentry policy file) can use this statement.
+ </p>
+
+ <p>
+ Only Sentry administrative users can revoke the role from a group.
</p>
<p conref="../shared/impala_common.xml#common/compatibility_blurb"/>