You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hive.apache.org by Brett Randall <ja...@gmail.com> on 2014/10/09 14:23:45 UTC
DDL wiki GRANT
Hi,
On https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
, GRANT shows as:
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_type]
TO principal_specification [, principal_specification] ...
[WITH GRANT OPTION]
Should that not be [ON object_type priv_level], same as REVOKE, where:
object_type:
TABLE
| DATABASE
priv_level:
db_name
| tbl_name
Thanks
Brett
Re: DDL wiki GRANT
Posted by Lefty Leverenz <le...@gmail.com>.
Well done. Thanks very much.
-- Lefty
On Tue, Oct 14, 2014 at 11:48 PM, Suhas Gogate <vg...@pivotal.io> wrote:
> Done! Thx. That where Brett's question originated :)
>
> On Tue, Oct 14, 2014 at 8:45 PM, Lefty Leverenz <le...@gmail.com>
> wrote:
>
>> Looks good, except that you forgot to change the GRANT syntax
>> <https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges>
>> -- it still says object_type.
>>
>> -- Lefty
>>
>> On Tue, Oct 14, 2014 at 11:41 PM, Suhas Gogate <vg...@pivotal.io>
>> wrote:
>>
>>> Lefty/Brett, I did change the wiki.. check if it looks okay. --Suhas
>>>
>>> On Tue, Oct 14, 2014 at 7:34 PM, Lefty Leverenz <leftyleverenz@gmail.com
>>> > wrote:
>>>
>>>> One question remains: in object_specification, are the keywords TABLE
>>>> and DATABASE optional?
>>>>
>>>> At least for TABLE I've seen queries in the test suite that omitted it,
>>>> but that was probably for SQL standards based authorization. So I guess we
>>>> should assume TABLE and DATABASE are required unless someone says otherwise.
>>>>
>>>> -- Lefty
>>>>
>>>> On Tue, Oct 14, 2014 at 4:48 PM, Lefty Leverenz <
>>>> leftyleverenz@gmail.com> wrote:
>>>>
>>>>> +1
>>>>>
>>>>> -- Lefty
>>>>>
>>>>> On Tue, Oct 14, 2014 at 4:37 PM, Brett Randall <ja...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> +1
>>>>>>
>>>>>> On 15 October 2014 07:23, Suhas Gogate <vg...@pivotal.io> wrote:
>>>>>> > Agree w/ Brett.. so may be instead of "object_type", we can use
>>>>>> > "object_specification" (similar to principal specification)?
>>>>>> >
>>>>>> > GRANT
>>>>>> > priv_type [(column_list)]
>>>>>> > [, priv_type [(column_list)]] ...
>>>>>> > [ON object_specification]
>>>>>> > TO principal_specification [, principal_specification] ...
>>>>>> > [WITH GRANT OPTION]
>>>>>> >
>>>>>> > REVOKE [GRANT OPTION FOR]
>>>>>> > priv_type [(column_list)]
>>>>>> > [, priv_type [(column_list)]] ...
>>>>>> > [ON object_specification]
>>>>>> > FROM principal_specification [, principal_specification] ...
>>>>>> >
>>>>>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>>>>> > FROM user [, user] ...
>>>>>> >
>>>>>> > priv_type:
>>>>>> > ALL | ALTER | UPDATE | CREATE | DROP
>>>>>> > | INDEX | LOCK | SELECT | SHOW_DATABASE
>>>>>> >
>>>>>> > object_specification:
>>>>>> > TABLE tbl_name |
>>>>>> > DATABASE db_name
>>>>>> >
>>>>>> > principal_specification:
>>>>>> > USER user
>>>>>> > | GROUP group
>>>>>> > | ROLE role
>>>>>> >
>>>>>> >
>>>>>> > On Tue, Oct 14, 2014 at 11:06 AM, Lefty Leverenz <
>>>>>> leftyleverenz@gmail.com>
>>>>>> > wrote:
>>>>>> >>
>>>>>> >> I'll correct it as soon as we reach consensus. (Perhaps Thejas
>>>>>> will chime
>>>>>> >> in.)
>>>>>> >>
>>>>>> >> If you want to do it yourself, you can get wiki edit privilege
>>>>>> quite
>>>>>> >> easily.
>>>>>> >>
>>>>>> >> -- Lefty
>>>>>> >>
>>>>>> >> On Tue, Oct 14, 2014 at 7:57 AM, Brett Randall <
>>>>>> javabrett@gmail.com>
>>>>>> >> wrote:
>>>>>> >>>
>>>>>> >>> I agree that the use of priv_level is confusing when it is
>>>>>> actually
>>>>>> >>> referring to object_name (of type TABLE or DATABASE). I don't
>>>>>> mind
>>>>>> >>> the rolling-up of tbl_name or db_name into object_type, although
>>>>>> it
>>>>>> >>> then makes object_type: somewhat misleading. "[ON object_type
>>>>>> >>> object_name]" reads well for me.
>>>>>> >>>
>>>>>> >>> Anything to correct the incorrect syntax on the wiki page (it is
>>>>>> not
>>>>>> >>> open for edits).
>>>>>> >>>
>>>>>> >>> Thanks
>>>>>> >>> Brett
>>>>>> >>>
>>>>>> >>> On 13 October 2014 18:18, Suhas Gogate <vg...@pivotal.io>
>>>>>> wrote:
>>>>>> >>> > Hmm.. looking at the syntax priv_level does not seem to be a
>>>>>> keyword
>>>>>> >>> > but
>>>>>> >>> > rather actual name of a table or database.. so why it appears
>>>>>> like a
>>>>>> >>> > keyword
>>>>>> >>> > Also priv_level is confusing and rather clear syntax would
>>>>>> should look
>>>>>> >>> > like
>>>>>> >>> > below...
>>>>>> >>> >
>>>>>> >>> > Again answer to original question from Brett, yes GRANT syntax
>>>>>> should
>>>>>> >>> > be
>>>>>> >>> > similar to REVOKE but rather priv_level should be removed from
>>>>>> REVOKE
>>>>>> >>> > as
>>>>>> >>> > well.. :)
>>>>>> >>> >
>>>>>> >>> > GRANT
>>>>>> >>> > priv_type [(column_list)]
>>>>>> >>> > [, priv_type [(column_list)]] ...
>>>>>> >>> > [ON object_type]
>>>>>> >>> > TO principal_specification [, principal_specification] ...
>>>>>> >>> > [WITH GRANT OPTION]
>>>>>> >>> >
>>>>>> >>> > REVOKE [GRANT OPTION FOR]
>>>>>> >>> > priv_type [(column_list)]
>>>>>> >>> > [, priv_type [(column_list)]] ...
>>>>>> >>> > [ON object_type]
>>>>>> >>> > FROM principal_specification [, principal_specification] ...
>>>>>> >>> >
>>>>>> >>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>>>>> >>> > FROM user [, user] ...
>>>>>> >>> >
>>>>>> >>> > priv_type:
>>>>>> >>> > ALL | ALTER | UPDATE | CREATE | DROP
>>>>>> >>> > | INDEX | LOCK | SELECT | SHOW_DATABASE
>>>>>> >>> >
>>>>>> >>> > object_type:
>>>>>> >>> > TABLE tbl_name
>>>>>> >>> > | DATABASE db_name
>>>>>> >>> >
>>>>>> >>> > principal_specification:
>>>>>> >>> > USER user
>>>>>> >>> > | GROUP group
>>>>>> >>> > | ROLE role
>>>>>> >>> >
>>>>>> >>> >
>>>>>> >>> > On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz
>>>>>> >>> > <le...@gmail.com>
>>>>>> >>> > wrote:
>>>>>> >>> >>
>>>>>> >>> >> Good catch, Brett. Can we have confirmation from an expert?
>>>>>> >>> >>
>>>>>> >>> >> Also, is object_type optional?
>>>>>> >>> >>
>>>>>> >>> >> It isn't clear to me why priv_level isn't called object_name.
>>>>>> >>> >>
>>>>>> >>> >> -- Lefty
>>>>>> >>> >>
>>>>>> >>> >> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <
>>>>>> javabrett@gmail.com>
>>>>>> >>> >> wrote:
>>>>>> >>> >>>
>>>>>> >>> >>> Hi,
>>>>>> >>> >>>
>>>>>> >>> >>> On
>>>>>> >>> >>>
>>>>>> >>> >>>
>>>>>> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
>>>>>> >>> >>> , GRANT shows as:
>>>>>> >>> >>>
>>>>>> >>> >>> GRANT
>>>>>> >>> >>> priv_type [(column_list)]
>>>>>> >>> >>> [, priv_type [(column_list)]] ...
>>>>>> >>> >>> [ON object_type]
>>>>>> >>> >>> TO principal_specification [, principal_specification] ...
>>>>>> >>> >>> [WITH GRANT OPTION]
>>>>>> >>> >>>
>>>>>> >>> >>> Should that not be [ON object_type priv_level], same as
>>>>>> REVOKE,
>>>>>> >>> >>> where:
>>>>>> >>> >>>
>>>>>> >>> >>> object_type:
>>>>>> >>> >>> TABLE
>>>>>> >>> >>> | DATABASE
>>>>>> >>> >>>
>>>>>> >>> >>> priv_level:
>>>>>> >>> >>> db_name
>>>>>> >>> >>> | tbl_name
>>>>>> >>> >>>
>>>>>> >>> >>> Thanks
>>>>>> >>> >>> Brett
>>>>>> >>> >>
>>>>>> >>> >>
>>>>>> >>> >
>>>>>> >>
>>>>>> >>
>>>>>> >
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
Re: DDL wiki GRANT
Posted by Suhas Gogate <vg...@pivotal.io>.
Done! Thx. That where Brett's question originated :)
On Tue, Oct 14, 2014 at 8:45 PM, Lefty Leverenz <le...@gmail.com>
wrote:
> Looks good, except that you forgot to change the GRANT syntax
> <https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges>
> -- it still says object_type.
>
> -- Lefty
>
> On Tue, Oct 14, 2014 at 11:41 PM, Suhas Gogate <vg...@pivotal.io> wrote:
>
>> Lefty/Brett, I did change the wiki.. check if it looks okay. --Suhas
>>
>> On Tue, Oct 14, 2014 at 7:34 PM, Lefty Leverenz <le...@gmail.com>
>> wrote:
>>
>>> One question remains: in object_specification, are the keywords TABLE
>>> and DATABASE optional?
>>>
>>> At least for TABLE I've seen queries in the test suite that omitted it,
>>> but that was probably for SQL standards based authorization. So I guess we
>>> should assume TABLE and DATABASE are required unless someone says otherwise.
>>>
>>> -- Lefty
>>>
>>> On Tue, Oct 14, 2014 at 4:48 PM, Lefty Leverenz <leftyleverenz@gmail.com
>>> > wrote:
>>>
>>>> +1
>>>>
>>>> -- Lefty
>>>>
>>>> On Tue, Oct 14, 2014 at 4:37 PM, Brett Randall <ja...@gmail.com>
>>>> wrote:
>>>>
>>>>> +1
>>>>>
>>>>> On 15 October 2014 07:23, Suhas Gogate <vg...@pivotal.io> wrote:
>>>>> > Agree w/ Brett.. so may be instead of "object_type", we can use
>>>>> > "object_specification" (similar to principal specification)?
>>>>> >
>>>>> > GRANT
>>>>> > priv_type [(column_list)]
>>>>> > [, priv_type [(column_list)]] ...
>>>>> > [ON object_specification]
>>>>> > TO principal_specification [, principal_specification] ...
>>>>> > [WITH GRANT OPTION]
>>>>> >
>>>>> > REVOKE [GRANT OPTION FOR]
>>>>> > priv_type [(column_list)]
>>>>> > [, priv_type [(column_list)]] ...
>>>>> > [ON object_specification]
>>>>> > FROM principal_specification [, principal_specification] ...
>>>>> >
>>>>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>>>> > FROM user [, user] ...
>>>>> >
>>>>> > priv_type:
>>>>> > ALL | ALTER | UPDATE | CREATE | DROP
>>>>> > | INDEX | LOCK | SELECT | SHOW_DATABASE
>>>>> >
>>>>> > object_specification:
>>>>> > TABLE tbl_name |
>>>>> > DATABASE db_name
>>>>> >
>>>>> > principal_specification:
>>>>> > USER user
>>>>> > | GROUP group
>>>>> > | ROLE role
>>>>> >
>>>>> >
>>>>> > On Tue, Oct 14, 2014 at 11:06 AM, Lefty Leverenz <
>>>>> leftyleverenz@gmail.com>
>>>>> > wrote:
>>>>> >>
>>>>> >> I'll correct it as soon as we reach consensus. (Perhaps Thejas
>>>>> will chime
>>>>> >> in.)
>>>>> >>
>>>>> >> If you want to do it yourself, you can get wiki edit privilege quite
>>>>> >> easily.
>>>>> >>
>>>>> >> -- Lefty
>>>>> >>
>>>>> >> On Tue, Oct 14, 2014 at 7:57 AM, Brett Randall <javabrett@gmail.com
>>>>> >
>>>>> >> wrote:
>>>>> >>>
>>>>> >>> I agree that the use of priv_level is confusing when it is actually
>>>>> >>> referring to object_name (of type TABLE or DATABASE). I don't mind
>>>>> >>> the rolling-up of tbl_name or db_name into object_type, although it
>>>>> >>> then makes object_type: somewhat misleading. "[ON object_type
>>>>> >>> object_name]" reads well for me.
>>>>> >>>
>>>>> >>> Anything to correct the incorrect syntax on the wiki page (it is
>>>>> not
>>>>> >>> open for edits).
>>>>> >>>
>>>>> >>> Thanks
>>>>> >>> Brett
>>>>> >>>
>>>>> >>> On 13 October 2014 18:18, Suhas Gogate <vg...@pivotal.io> wrote:
>>>>> >>> > Hmm.. looking at the syntax priv_level does not seem to be a
>>>>> keyword
>>>>> >>> > but
>>>>> >>> > rather actual name of a table or database.. so why it appears
>>>>> like a
>>>>> >>> > keyword
>>>>> >>> > Also priv_level is confusing and rather clear syntax would
>>>>> should look
>>>>> >>> > like
>>>>> >>> > below...
>>>>> >>> >
>>>>> >>> > Again answer to original question from Brett, yes GRANT syntax
>>>>> should
>>>>> >>> > be
>>>>> >>> > similar to REVOKE but rather priv_level should be removed from
>>>>> REVOKE
>>>>> >>> > as
>>>>> >>> > well.. :)
>>>>> >>> >
>>>>> >>> > GRANT
>>>>> >>> > priv_type [(column_list)]
>>>>> >>> > [, priv_type [(column_list)]] ...
>>>>> >>> > [ON object_type]
>>>>> >>> > TO principal_specification [, principal_specification] ...
>>>>> >>> > [WITH GRANT OPTION]
>>>>> >>> >
>>>>> >>> > REVOKE [GRANT OPTION FOR]
>>>>> >>> > priv_type [(column_list)]
>>>>> >>> > [, priv_type [(column_list)]] ...
>>>>> >>> > [ON object_type]
>>>>> >>> > FROM principal_specification [, principal_specification] ...
>>>>> >>> >
>>>>> >>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>>>> >>> > FROM user [, user] ...
>>>>> >>> >
>>>>> >>> > priv_type:
>>>>> >>> > ALL | ALTER | UPDATE | CREATE | DROP
>>>>> >>> > | INDEX | LOCK | SELECT | SHOW_DATABASE
>>>>> >>> >
>>>>> >>> > object_type:
>>>>> >>> > TABLE tbl_name
>>>>> >>> > | DATABASE db_name
>>>>> >>> >
>>>>> >>> > principal_specification:
>>>>> >>> > USER user
>>>>> >>> > | GROUP group
>>>>> >>> > | ROLE role
>>>>> >>> >
>>>>> >>> >
>>>>> >>> > On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz
>>>>> >>> > <le...@gmail.com>
>>>>> >>> > wrote:
>>>>> >>> >>
>>>>> >>> >> Good catch, Brett. Can we have confirmation from an expert?
>>>>> >>> >>
>>>>> >>> >> Also, is object_type optional?
>>>>> >>> >>
>>>>> >>> >> It isn't clear to me why priv_level isn't called object_name.
>>>>> >>> >>
>>>>> >>> >> -- Lefty
>>>>> >>> >>
>>>>> >>> >> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <
>>>>> javabrett@gmail.com>
>>>>> >>> >> wrote:
>>>>> >>> >>>
>>>>> >>> >>> Hi,
>>>>> >>> >>>
>>>>> >>> >>> On
>>>>> >>> >>>
>>>>> >>> >>>
>>>>> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
>>>>> >>> >>> , GRANT shows as:
>>>>> >>> >>>
>>>>> >>> >>> GRANT
>>>>> >>> >>> priv_type [(column_list)]
>>>>> >>> >>> [, priv_type [(column_list)]] ...
>>>>> >>> >>> [ON object_type]
>>>>> >>> >>> TO principal_specification [, principal_specification] ...
>>>>> >>> >>> [WITH GRANT OPTION]
>>>>> >>> >>>
>>>>> >>> >>> Should that not be [ON object_type priv_level], same as REVOKE,
>>>>> >>> >>> where:
>>>>> >>> >>>
>>>>> >>> >>> object_type:
>>>>> >>> >>> TABLE
>>>>> >>> >>> | DATABASE
>>>>> >>> >>>
>>>>> >>> >>> priv_level:
>>>>> >>> >>> db_name
>>>>> >>> >>> | tbl_name
>>>>> >>> >>>
>>>>> >>> >>> Thanks
>>>>> >>> >>> Brett
>>>>> >>> >>
>>>>> >>> >>
>>>>> >>> >
>>>>> >>
>>>>> >>
>>>>> >
>>>>>
>>>>
>>>>
>>>
>>
>
Re: DDL wiki GRANT
Posted by Lefty Leverenz <le...@gmail.com>.
Looks good, except that you forgot to change the GRANT syntax
<https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges>
-- it still says object_type.
-- Lefty
On Tue, Oct 14, 2014 at 11:41 PM, Suhas Gogate <vg...@pivotal.io> wrote:
> Lefty/Brett, I did change the wiki.. check if it looks okay. --Suhas
>
> On Tue, Oct 14, 2014 at 7:34 PM, Lefty Leverenz <le...@gmail.com>
> wrote:
>
>> One question remains: in object_specification, are the keywords TABLE
>> and DATABASE optional?
>>
>> At least for TABLE I've seen queries in the test suite that omitted it,
>> but that was probably for SQL standards based authorization. So I guess we
>> should assume TABLE and DATABASE are required unless someone says otherwise.
>>
>> -- Lefty
>>
>> On Tue, Oct 14, 2014 at 4:48 PM, Lefty Leverenz <le...@gmail.com>
>> wrote:
>>
>>> +1
>>>
>>> -- Lefty
>>>
>>> On Tue, Oct 14, 2014 at 4:37 PM, Brett Randall <ja...@gmail.com>
>>> wrote:
>>>
>>>> +1
>>>>
>>>> On 15 October 2014 07:23, Suhas Gogate <vg...@pivotal.io> wrote:
>>>> > Agree w/ Brett.. so may be instead of "object_type", we can use
>>>> > "object_specification" (similar to principal specification)?
>>>> >
>>>> > GRANT
>>>> > priv_type [(column_list)]
>>>> > [, priv_type [(column_list)]] ...
>>>> > [ON object_specification]
>>>> > TO principal_specification [, principal_specification] ...
>>>> > [WITH GRANT OPTION]
>>>> >
>>>> > REVOKE [GRANT OPTION FOR]
>>>> > priv_type [(column_list)]
>>>> > [, priv_type [(column_list)]] ...
>>>> > [ON object_specification]
>>>> > FROM principal_specification [, principal_specification] ...
>>>> >
>>>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>>> > FROM user [, user] ...
>>>> >
>>>> > priv_type:
>>>> > ALL | ALTER | UPDATE | CREATE | DROP
>>>> > | INDEX | LOCK | SELECT | SHOW_DATABASE
>>>> >
>>>> > object_specification:
>>>> > TABLE tbl_name |
>>>> > DATABASE db_name
>>>> >
>>>> > principal_specification:
>>>> > USER user
>>>> > | GROUP group
>>>> > | ROLE role
>>>> >
>>>> >
>>>> > On Tue, Oct 14, 2014 at 11:06 AM, Lefty Leverenz <
>>>> leftyleverenz@gmail.com>
>>>> > wrote:
>>>> >>
>>>> >> I'll correct it as soon as we reach consensus. (Perhaps Thejas will
>>>> chime
>>>> >> in.)
>>>> >>
>>>> >> If you want to do it yourself, you can get wiki edit privilege quite
>>>> >> easily.
>>>> >>
>>>> >> -- Lefty
>>>> >>
>>>> >> On Tue, Oct 14, 2014 at 7:57 AM, Brett Randall <ja...@gmail.com>
>>>> >> wrote:
>>>> >>>
>>>> >>> I agree that the use of priv_level is confusing when it is actually
>>>> >>> referring to object_name (of type TABLE or DATABASE). I don't mind
>>>> >>> the rolling-up of tbl_name or db_name into object_type, although it
>>>> >>> then makes object_type: somewhat misleading. "[ON object_type
>>>> >>> object_name]" reads well for me.
>>>> >>>
>>>> >>> Anything to correct the incorrect syntax on the wiki page (it is not
>>>> >>> open for edits).
>>>> >>>
>>>> >>> Thanks
>>>> >>> Brett
>>>> >>>
>>>> >>> On 13 October 2014 18:18, Suhas Gogate <vg...@pivotal.io> wrote:
>>>> >>> > Hmm.. looking at the syntax priv_level does not seem to be a
>>>> keyword
>>>> >>> > but
>>>> >>> > rather actual name of a table or database.. so why it appears
>>>> like a
>>>> >>> > keyword
>>>> >>> > Also priv_level is confusing and rather clear syntax would should
>>>> look
>>>> >>> > like
>>>> >>> > below...
>>>> >>> >
>>>> >>> > Again answer to original question from Brett, yes GRANT syntax
>>>> should
>>>> >>> > be
>>>> >>> > similar to REVOKE but rather priv_level should be removed from
>>>> REVOKE
>>>> >>> > as
>>>> >>> > well.. :)
>>>> >>> >
>>>> >>> > GRANT
>>>> >>> > priv_type [(column_list)]
>>>> >>> > [, priv_type [(column_list)]] ...
>>>> >>> > [ON object_type]
>>>> >>> > TO principal_specification [, principal_specification] ...
>>>> >>> > [WITH GRANT OPTION]
>>>> >>> >
>>>> >>> > REVOKE [GRANT OPTION FOR]
>>>> >>> > priv_type [(column_list)]
>>>> >>> > [, priv_type [(column_list)]] ...
>>>> >>> > [ON object_type]
>>>> >>> > FROM principal_specification [, principal_specification] ...
>>>> >>> >
>>>> >>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>>> >>> > FROM user [, user] ...
>>>> >>> >
>>>> >>> > priv_type:
>>>> >>> > ALL | ALTER | UPDATE | CREATE | DROP
>>>> >>> > | INDEX | LOCK | SELECT | SHOW_DATABASE
>>>> >>> >
>>>> >>> > object_type:
>>>> >>> > TABLE tbl_name
>>>> >>> > | DATABASE db_name
>>>> >>> >
>>>> >>> > principal_specification:
>>>> >>> > USER user
>>>> >>> > | GROUP group
>>>> >>> > | ROLE role
>>>> >>> >
>>>> >>> >
>>>> >>> > On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz
>>>> >>> > <le...@gmail.com>
>>>> >>> > wrote:
>>>> >>> >>
>>>> >>> >> Good catch, Brett. Can we have confirmation from an expert?
>>>> >>> >>
>>>> >>> >> Also, is object_type optional?
>>>> >>> >>
>>>> >>> >> It isn't clear to me why priv_level isn't called object_name.
>>>> >>> >>
>>>> >>> >> -- Lefty
>>>> >>> >>
>>>> >>> >> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <
>>>> javabrett@gmail.com>
>>>> >>> >> wrote:
>>>> >>> >>>
>>>> >>> >>> Hi,
>>>> >>> >>>
>>>> >>> >>> On
>>>> >>> >>>
>>>> >>> >>>
>>>> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
>>>> >>> >>> , GRANT shows as:
>>>> >>> >>>
>>>> >>> >>> GRANT
>>>> >>> >>> priv_type [(column_list)]
>>>> >>> >>> [, priv_type [(column_list)]] ...
>>>> >>> >>> [ON object_type]
>>>> >>> >>> TO principal_specification [, principal_specification] ...
>>>> >>> >>> [WITH GRANT OPTION]
>>>> >>> >>>
>>>> >>> >>> Should that not be [ON object_type priv_level], same as REVOKE,
>>>> >>> >>> where:
>>>> >>> >>>
>>>> >>> >>> object_type:
>>>> >>> >>> TABLE
>>>> >>> >>> | DATABASE
>>>> >>> >>>
>>>> >>> >>> priv_level:
>>>> >>> >>> db_name
>>>> >>> >>> | tbl_name
>>>> >>> >>>
>>>> >>> >>> Thanks
>>>> >>> >>> Brett
>>>> >>> >>
>>>> >>> >>
>>>> >>> >
>>>> >>
>>>> >>
>>>> >
>>>>
>>>
>>>
>>
>
Re: DDL wiki GRANT
Posted by Suhas Gogate <vg...@pivotal.io>.
Lefty/Brett, I did change the wiki.. check if it looks okay. --Suhas
On Tue, Oct 14, 2014 at 7:34 PM, Lefty Leverenz <le...@gmail.com>
wrote:
> One question remains: in object_specification, are the keywords TABLE and
> DATABASE optional?
>
> At least for TABLE I've seen queries in the test suite that omitted it,
> but that was probably for SQL standards based authorization. So I guess we
> should assume TABLE and DATABASE are required unless someone says otherwise.
>
> -- Lefty
>
> On Tue, Oct 14, 2014 at 4:48 PM, Lefty Leverenz <le...@gmail.com>
> wrote:
>
>> +1
>>
>> -- Lefty
>>
>> On Tue, Oct 14, 2014 at 4:37 PM, Brett Randall <ja...@gmail.com>
>> wrote:
>>
>>> +1
>>>
>>> On 15 October 2014 07:23, Suhas Gogate <vg...@pivotal.io> wrote:
>>> > Agree w/ Brett.. so may be instead of "object_type", we can use
>>> > "object_specification" (similar to principal specification)?
>>> >
>>> > GRANT
>>> > priv_type [(column_list)]
>>> > [, priv_type [(column_list)]] ...
>>> > [ON object_specification]
>>> > TO principal_specification [, principal_specification] ...
>>> > [WITH GRANT OPTION]
>>> >
>>> > REVOKE [GRANT OPTION FOR]
>>> > priv_type [(column_list)]
>>> > [, priv_type [(column_list)]] ...
>>> > [ON object_specification]
>>> > FROM principal_specification [, principal_specification] ...
>>> >
>>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>> > FROM user [, user] ...
>>> >
>>> > priv_type:
>>> > ALL | ALTER | UPDATE | CREATE | DROP
>>> > | INDEX | LOCK | SELECT | SHOW_DATABASE
>>> >
>>> > object_specification:
>>> > TABLE tbl_name |
>>> > DATABASE db_name
>>> >
>>> > principal_specification:
>>> > USER user
>>> > | GROUP group
>>> > | ROLE role
>>> >
>>> >
>>> > On Tue, Oct 14, 2014 at 11:06 AM, Lefty Leverenz <
>>> leftyleverenz@gmail.com>
>>> > wrote:
>>> >>
>>> >> I'll correct it as soon as we reach consensus. (Perhaps Thejas will
>>> chime
>>> >> in.)
>>> >>
>>> >> If you want to do it yourself, you can get wiki edit privilege quite
>>> >> easily.
>>> >>
>>> >> -- Lefty
>>> >>
>>> >> On Tue, Oct 14, 2014 at 7:57 AM, Brett Randall <ja...@gmail.com>
>>> >> wrote:
>>> >>>
>>> >>> I agree that the use of priv_level is confusing when it is actually
>>> >>> referring to object_name (of type TABLE or DATABASE). I don't mind
>>> >>> the rolling-up of tbl_name or db_name into object_type, although it
>>> >>> then makes object_type: somewhat misleading. "[ON object_type
>>> >>> object_name]" reads well for me.
>>> >>>
>>> >>> Anything to correct the incorrect syntax on the wiki page (it is not
>>> >>> open for edits).
>>> >>>
>>> >>> Thanks
>>> >>> Brett
>>> >>>
>>> >>> On 13 October 2014 18:18, Suhas Gogate <vg...@pivotal.io> wrote:
>>> >>> > Hmm.. looking at the syntax priv_level does not seem to be a
>>> keyword
>>> >>> > but
>>> >>> > rather actual name of a table or database.. so why it appears like
>>> a
>>> >>> > keyword
>>> >>> > Also priv_level is confusing and rather clear syntax would should
>>> look
>>> >>> > like
>>> >>> > below...
>>> >>> >
>>> >>> > Again answer to original question from Brett, yes GRANT syntax
>>> should
>>> >>> > be
>>> >>> > similar to REVOKE but rather priv_level should be removed from
>>> REVOKE
>>> >>> > as
>>> >>> > well.. :)
>>> >>> >
>>> >>> > GRANT
>>> >>> > priv_type [(column_list)]
>>> >>> > [, priv_type [(column_list)]] ...
>>> >>> > [ON object_type]
>>> >>> > TO principal_specification [, principal_specification] ...
>>> >>> > [WITH GRANT OPTION]
>>> >>> >
>>> >>> > REVOKE [GRANT OPTION FOR]
>>> >>> > priv_type [(column_list)]
>>> >>> > [, priv_type [(column_list)]] ...
>>> >>> > [ON object_type]
>>> >>> > FROM principal_specification [, principal_specification] ...
>>> >>> >
>>> >>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>> >>> > FROM user [, user] ...
>>> >>> >
>>> >>> > priv_type:
>>> >>> > ALL | ALTER | UPDATE | CREATE | DROP
>>> >>> > | INDEX | LOCK | SELECT | SHOW_DATABASE
>>> >>> >
>>> >>> > object_type:
>>> >>> > TABLE tbl_name
>>> >>> > | DATABASE db_name
>>> >>> >
>>> >>> > principal_specification:
>>> >>> > USER user
>>> >>> > | GROUP group
>>> >>> > | ROLE role
>>> >>> >
>>> >>> >
>>> >>> > On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz
>>> >>> > <le...@gmail.com>
>>> >>> > wrote:
>>> >>> >>
>>> >>> >> Good catch, Brett. Can we have confirmation from an expert?
>>> >>> >>
>>> >>> >> Also, is object_type optional?
>>> >>> >>
>>> >>> >> It isn't clear to me why priv_level isn't called object_name.
>>> >>> >>
>>> >>> >> -- Lefty
>>> >>> >>
>>> >>> >> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <
>>> javabrett@gmail.com>
>>> >>> >> wrote:
>>> >>> >>>
>>> >>> >>> Hi,
>>> >>> >>>
>>> >>> >>> On
>>> >>> >>>
>>> >>> >>>
>>> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
>>> >>> >>> , GRANT shows as:
>>> >>> >>>
>>> >>> >>> GRANT
>>> >>> >>> priv_type [(column_list)]
>>> >>> >>> [, priv_type [(column_list)]] ...
>>> >>> >>> [ON object_type]
>>> >>> >>> TO principal_specification [, principal_specification] ...
>>> >>> >>> [WITH GRANT OPTION]
>>> >>> >>>
>>> >>> >>> Should that not be [ON object_type priv_level], same as REVOKE,
>>> >>> >>> where:
>>> >>> >>>
>>> >>> >>> object_type:
>>> >>> >>> TABLE
>>> >>> >>> | DATABASE
>>> >>> >>>
>>> >>> >>> priv_level:
>>> >>> >>> db_name
>>> >>> >>> | tbl_name
>>> >>> >>>
>>> >>> >>> Thanks
>>> >>> >>> Brett
>>> >>> >>
>>> >>> >>
>>> >>> >
>>> >>
>>> >>
>>> >
>>>
>>
>>
>
Re: DDL wiki GRANT
Posted by Lefty Leverenz <le...@gmail.com>.
One question remains: in object_specification, are the keywords TABLE and
DATABASE optional?
At least for TABLE I've seen queries in the test suite that omitted it, but
that was probably for SQL standards based authorization. So I guess we
should assume TABLE and DATABASE are required unless someone says otherwise.
-- Lefty
On Tue, Oct 14, 2014 at 4:48 PM, Lefty Leverenz <le...@gmail.com>
wrote:
> +1
>
> -- Lefty
>
> On Tue, Oct 14, 2014 at 4:37 PM, Brett Randall <ja...@gmail.com>
> wrote:
>
>> +1
>>
>> On 15 October 2014 07:23, Suhas Gogate <vg...@pivotal.io> wrote:
>> > Agree w/ Brett.. so may be instead of "object_type", we can use
>> > "object_specification" (similar to principal specification)?
>> >
>> > GRANT
>> > priv_type [(column_list)]
>> > [, priv_type [(column_list)]] ...
>> > [ON object_specification]
>> > TO principal_specification [, principal_specification] ...
>> > [WITH GRANT OPTION]
>> >
>> > REVOKE [GRANT OPTION FOR]
>> > priv_type [(column_list)]
>> > [, priv_type [(column_list)]] ...
>> > [ON object_specification]
>> > FROM principal_specification [, principal_specification] ...
>> >
>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>> > FROM user [, user] ...
>> >
>> > priv_type:
>> > ALL | ALTER | UPDATE | CREATE | DROP
>> > | INDEX | LOCK | SELECT | SHOW_DATABASE
>> >
>> > object_specification:
>> > TABLE tbl_name |
>> > DATABASE db_name
>> >
>> > principal_specification:
>> > USER user
>> > | GROUP group
>> > | ROLE role
>> >
>> >
>> > On Tue, Oct 14, 2014 at 11:06 AM, Lefty Leverenz <
>> leftyleverenz@gmail.com>
>> > wrote:
>> >>
>> >> I'll correct it as soon as we reach consensus. (Perhaps Thejas will
>> chime
>> >> in.)
>> >>
>> >> If you want to do it yourself, you can get wiki edit privilege quite
>> >> easily.
>> >>
>> >> -- Lefty
>> >>
>> >> On Tue, Oct 14, 2014 at 7:57 AM, Brett Randall <ja...@gmail.com>
>> >> wrote:
>> >>>
>> >>> I agree that the use of priv_level is confusing when it is actually
>> >>> referring to object_name (of type TABLE or DATABASE). I don't mind
>> >>> the rolling-up of tbl_name or db_name into object_type, although it
>> >>> then makes object_type: somewhat misleading. "[ON object_type
>> >>> object_name]" reads well for me.
>> >>>
>> >>> Anything to correct the incorrect syntax on the wiki page (it is not
>> >>> open for edits).
>> >>>
>> >>> Thanks
>> >>> Brett
>> >>>
>> >>> On 13 October 2014 18:18, Suhas Gogate <vg...@pivotal.io> wrote:
>> >>> > Hmm.. looking at the syntax priv_level does not seem to be a keyword
>> >>> > but
>> >>> > rather actual name of a table or database.. so why it appears like a
>> >>> > keyword
>> >>> > Also priv_level is confusing and rather clear syntax would should
>> look
>> >>> > like
>> >>> > below...
>> >>> >
>> >>> > Again answer to original question from Brett, yes GRANT syntax
>> should
>> >>> > be
>> >>> > similar to REVOKE but rather priv_level should be removed from
>> REVOKE
>> >>> > as
>> >>> > well.. :)
>> >>> >
>> >>> > GRANT
>> >>> > priv_type [(column_list)]
>> >>> > [, priv_type [(column_list)]] ...
>> >>> > [ON object_type]
>> >>> > TO principal_specification [, principal_specification] ...
>> >>> > [WITH GRANT OPTION]
>> >>> >
>> >>> > REVOKE [GRANT OPTION FOR]
>> >>> > priv_type [(column_list)]
>> >>> > [, priv_type [(column_list)]] ...
>> >>> > [ON object_type]
>> >>> > FROM principal_specification [, principal_specification] ...
>> >>> >
>> >>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>> >>> > FROM user [, user] ...
>> >>> >
>> >>> > priv_type:
>> >>> > ALL | ALTER | UPDATE | CREATE | DROP
>> >>> > | INDEX | LOCK | SELECT | SHOW_DATABASE
>> >>> >
>> >>> > object_type:
>> >>> > TABLE tbl_name
>> >>> > | DATABASE db_name
>> >>> >
>> >>> > principal_specification:
>> >>> > USER user
>> >>> > | GROUP group
>> >>> > | ROLE role
>> >>> >
>> >>> >
>> >>> > On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz
>> >>> > <le...@gmail.com>
>> >>> > wrote:
>> >>> >>
>> >>> >> Good catch, Brett. Can we have confirmation from an expert?
>> >>> >>
>> >>> >> Also, is object_type optional?
>> >>> >>
>> >>> >> It isn't clear to me why priv_level isn't called object_name.
>> >>> >>
>> >>> >> -- Lefty
>> >>> >>
>> >>> >> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <javabrett@gmail.com
>> >
>> >>> >> wrote:
>> >>> >>>
>> >>> >>> Hi,
>> >>> >>>
>> >>> >>> On
>> >>> >>>
>> >>> >>>
>> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
>> >>> >>> , GRANT shows as:
>> >>> >>>
>> >>> >>> GRANT
>> >>> >>> priv_type [(column_list)]
>> >>> >>> [, priv_type [(column_list)]] ...
>> >>> >>> [ON object_type]
>> >>> >>> TO principal_specification [, principal_specification] ...
>> >>> >>> [WITH GRANT OPTION]
>> >>> >>>
>> >>> >>> Should that not be [ON object_type priv_level], same as REVOKE,
>> >>> >>> where:
>> >>> >>>
>> >>> >>> object_type:
>> >>> >>> TABLE
>> >>> >>> | DATABASE
>> >>> >>>
>> >>> >>> priv_level:
>> >>> >>> db_name
>> >>> >>> | tbl_name
>> >>> >>>
>> >>> >>> Thanks
>> >>> >>> Brett
>> >>> >>
>> >>> >>
>> >>> >
>> >>
>> >>
>> >
>>
>
>
Re: DDL wiki GRANT
Posted by Lefty Leverenz <le...@gmail.com>.
+1
-- Lefty
On Tue, Oct 14, 2014 at 4:37 PM, Brett Randall <ja...@gmail.com> wrote:
> +1
>
> On 15 October 2014 07:23, Suhas Gogate <vg...@pivotal.io> wrote:
> > Agree w/ Brett.. so may be instead of "object_type", we can use
> > "object_specification" (similar to principal specification)?
> >
> > GRANT
> > priv_type [(column_list)]
> > [, priv_type [(column_list)]] ...
> > [ON object_specification]
> > TO principal_specification [, principal_specification] ...
> > [WITH GRANT OPTION]
> >
> > REVOKE [GRANT OPTION FOR]
> > priv_type [(column_list)]
> > [, priv_type [(column_list)]] ...
> > [ON object_specification]
> > FROM principal_specification [, principal_specification] ...
> >
> > REVOKE ALL PRIVILEGES, GRANT OPTION
> > FROM user [, user] ...
> >
> > priv_type:
> > ALL | ALTER | UPDATE | CREATE | DROP
> > | INDEX | LOCK | SELECT | SHOW_DATABASE
> >
> > object_specification:
> > TABLE tbl_name |
> > DATABASE db_name
> >
> > principal_specification:
> > USER user
> > | GROUP group
> > | ROLE role
> >
> >
> > On Tue, Oct 14, 2014 at 11:06 AM, Lefty Leverenz <
> leftyleverenz@gmail.com>
> > wrote:
> >>
> >> I'll correct it as soon as we reach consensus. (Perhaps Thejas will
> chime
> >> in.)
> >>
> >> If you want to do it yourself, you can get wiki edit privilege quite
> >> easily.
> >>
> >> -- Lefty
> >>
> >> On Tue, Oct 14, 2014 at 7:57 AM, Brett Randall <ja...@gmail.com>
> >> wrote:
> >>>
> >>> I agree that the use of priv_level is confusing when it is actually
> >>> referring to object_name (of type TABLE or DATABASE). I don't mind
> >>> the rolling-up of tbl_name or db_name into object_type, although it
> >>> then makes object_type: somewhat misleading. "[ON object_type
> >>> object_name]" reads well for me.
> >>>
> >>> Anything to correct the incorrect syntax on the wiki page (it is not
> >>> open for edits).
> >>>
> >>> Thanks
> >>> Brett
> >>>
> >>> On 13 October 2014 18:18, Suhas Gogate <vg...@pivotal.io> wrote:
> >>> > Hmm.. looking at the syntax priv_level does not seem to be a keyword
> >>> > but
> >>> > rather actual name of a table or database.. so why it appears like a
> >>> > keyword
> >>> > Also priv_level is confusing and rather clear syntax would should
> look
> >>> > like
> >>> > below...
> >>> >
> >>> > Again answer to original question from Brett, yes GRANT syntax should
> >>> > be
> >>> > similar to REVOKE but rather priv_level should be removed from REVOKE
> >>> > as
> >>> > well.. :)
> >>> >
> >>> > GRANT
> >>> > priv_type [(column_list)]
> >>> > [, priv_type [(column_list)]] ...
> >>> > [ON object_type]
> >>> > TO principal_specification [, principal_specification] ...
> >>> > [WITH GRANT OPTION]
> >>> >
> >>> > REVOKE [GRANT OPTION FOR]
> >>> > priv_type [(column_list)]
> >>> > [, priv_type [(column_list)]] ...
> >>> > [ON object_type]
> >>> > FROM principal_specification [, principal_specification] ...
> >>> >
> >>> > REVOKE ALL PRIVILEGES, GRANT OPTION
> >>> > FROM user [, user] ...
> >>> >
> >>> > priv_type:
> >>> > ALL | ALTER | UPDATE | CREATE | DROP
> >>> > | INDEX | LOCK | SELECT | SHOW_DATABASE
> >>> >
> >>> > object_type:
> >>> > TABLE tbl_name
> >>> > | DATABASE db_name
> >>> >
> >>> > principal_specification:
> >>> > USER user
> >>> > | GROUP group
> >>> > | ROLE role
> >>> >
> >>> >
> >>> > On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz
> >>> > <le...@gmail.com>
> >>> > wrote:
> >>> >>
> >>> >> Good catch, Brett. Can we have confirmation from an expert?
> >>> >>
> >>> >> Also, is object_type optional?
> >>> >>
> >>> >> It isn't clear to me why priv_level isn't called object_name.
> >>> >>
> >>> >> -- Lefty
> >>> >>
> >>> >> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <ja...@gmail.com>
> >>> >> wrote:
> >>> >>>
> >>> >>> Hi,
> >>> >>>
> >>> >>> On
> >>> >>>
> >>> >>>
> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
> >>> >>> , GRANT shows as:
> >>> >>>
> >>> >>> GRANT
> >>> >>> priv_type [(column_list)]
> >>> >>> [, priv_type [(column_list)]] ...
> >>> >>> [ON object_type]
> >>> >>> TO principal_specification [, principal_specification] ...
> >>> >>> [WITH GRANT OPTION]
> >>> >>>
> >>> >>> Should that not be [ON object_type priv_level], same as REVOKE,
> >>> >>> where:
> >>> >>>
> >>> >>> object_type:
> >>> >>> TABLE
> >>> >>> | DATABASE
> >>> >>>
> >>> >>> priv_level:
> >>> >>> db_name
> >>> >>> | tbl_name
> >>> >>>
> >>> >>> Thanks
> >>> >>> Brett
> >>> >>
> >>> >>
> >>> >
> >>
> >>
> >
>
Re: DDL wiki GRANT
Posted by Brett Randall <ja...@gmail.com>.
+1
On 15 October 2014 07:23, Suhas Gogate <vg...@pivotal.io> wrote:
> Agree w/ Brett.. so may be instead of "object_type", we can use
> "object_specification" (similar to principal specification)?
>
> GRANT
> priv_type [(column_list)]
> [, priv_type [(column_list)]] ...
> [ON object_specification]
> TO principal_specification [, principal_specification] ...
> [WITH GRANT OPTION]
>
> REVOKE [GRANT OPTION FOR]
> priv_type [(column_list)]
> [, priv_type [(column_list)]] ...
> [ON object_specification]
> FROM principal_specification [, principal_specification] ...
>
> REVOKE ALL PRIVILEGES, GRANT OPTION
> FROM user [, user] ...
>
> priv_type:
> ALL | ALTER | UPDATE | CREATE | DROP
> | INDEX | LOCK | SELECT | SHOW_DATABASE
>
> object_specification:
> TABLE tbl_name |
> DATABASE db_name
>
> principal_specification:
> USER user
> | GROUP group
> | ROLE role
>
>
> On Tue, Oct 14, 2014 at 11:06 AM, Lefty Leverenz <le...@gmail.com>
> wrote:
>>
>> I'll correct it as soon as we reach consensus. (Perhaps Thejas will chime
>> in.)
>>
>> If you want to do it yourself, you can get wiki edit privilege quite
>> easily.
>>
>> -- Lefty
>>
>> On Tue, Oct 14, 2014 at 7:57 AM, Brett Randall <ja...@gmail.com>
>> wrote:
>>>
>>> I agree that the use of priv_level is confusing when it is actually
>>> referring to object_name (of type TABLE or DATABASE). I don't mind
>>> the rolling-up of tbl_name or db_name into object_type, although it
>>> then makes object_type: somewhat misleading. "[ON object_type
>>> object_name]" reads well for me.
>>>
>>> Anything to correct the incorrect syntax on the wiki page (it is not
>>> open for edits).
>>>
>>> Thanks
>>> Brett
>>>
>>> On 13 October 2014 18:18, Suhas Gogate <vg...@pivotal.io> wrote:
>>> > Hmm.. looking at the syntax priv_level does not seem to be a keyword
>>> > but
>>> > rather actual name of a table or database.. so why it appears like a
>>> > keyword
>>> > Also priv_level is confusing and rather clear syntax would should look
>>> > like
>>> > below...
>>> >
>>> > Again answer to original question from Brett, yes GRANT syntax should
>>> > be
>>> > similar to REVOKE but rather priv_level should be removed from REVOKE
>>> > as
>>> > well.. :)
>>> >
>>> > GRANT
>>> > priv_type [(column_list)]
>>> > [, priv_type [(column_list)]] ...
>>> > [ON object_type]
>>> > TO principal_specification [, principal_specification] ...
>>> > [WITH GRANT OPTION]
>>> >
>>> > REVOKE [GRANT OPTION FOR]
>>> > priv_type [(column_list)]
>>> > [, priv_type [(column_list)]] ...
>>> > [ON object_type]
>>> > FROM principal_specification [, principal_specification] ...
>>> >
>>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>> > FROM user [, user] ...
>>> >
>>> > priv_type:
>>> > ALL | ALTER | UPDATE | CREATE | DROP
>>> > | INDEX | LOCK | SELECT | SHOW_DATABASE
>>> >
>>> > object_type:
>>> > TABLE tbl_name
>>> > | DATABASE db_name
>>> >
>>> > principal_specification:
>>> > USER user
>>> > | GROUP group
>>> > | ROLE role
>>> >
>>> >
>>> > On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz
>>> > <le...@gmail.com>
>>> > wrote:
>>> >>
>>> >> Good catch, Brett. Can we have confirmation from an expert?
>>> >>
>>> >> Also, is object_type optional?
>>> >>
>>> >> It isn't clear to me why priv_level isn't called object_name.
>>> >>
>>> >> -- Lefty
>>> >>
>>> >> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <ja...@gmail.com>
>>> >> wrote:
>>> >>>
>>> >>> Hi,
>>> >>>
>>> >>> On
>>> >>>
>>> >>> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
>>> >>> , GRANT shows as:
>>> >>>
>>> >>> GRANT
>>> >>> priv_type [(column_list)]
>>> >>> [, priv_type [(column_list)]] ...
>>> >>> [ON object_type]
>>> >>> TO principal_specification [, principal_specification] ...
>>> >>> [WITH GRANT OPTION]
>>> >>>
>>> >>> Should that not be [ON object_type priv_level], same as REVOKE,
>>> >>> where:
>>> >>>
>>> >>> object_type:
>>> >>> TABLE
>>> >>> | DATABASE
>>> >>>
>>> >>> priv_level:
>>> >>> db_name
>>> >>> | tbl_name
>>> >>>
>>> >>> Thanks
>>> >>> Brett
>>> >>
>>> >>
>>> >
>>
>>
>
Re: DDL wiki GRANT
Posted by Suhas Gogate <vg...@pivotal.io>.
Agree w/ Brett.. so may be instead of "object_type", we can use
"object_specification" (similar to principal specification)?
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_specification]
TO principal_specification [, principal_specification] ...
[WITH GRANT OPTION]
REVOKE [GRANT OPTION FOR]
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_specification]
FROM principal_specification [, principal_specification] ...
REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user [, user] ...
priv_type:
ALL | ALTER | UPDATE | CREATE | DROP
| INDEX | LOCK | SELECT | SHOW_DATABASE
object_specification:
TABLE tbl_name |
DATABASE db_name
principal_specification:
USER user
| GROUP group
| ROLE role
On Tue, Oct 14, 2014 at 11:06 AM, Lefty Leverenz <le...@gmail.com>
wrote:
> I'll correct it as soon as we reach consensus. (Perhaps Thejas will chime
> in.)
>
> If you want to do it yourself, you can get wiki edit privilege
> <https://cwiki.apache.org/confluence/display/Hive/AboutThisWiki#AboutThisWiki-Howtogetpermissiontoedit> quite
> easily.
>
> -- Lefty
>
> On Tue, Oct 14, 2014 at 7:57 AM, Brett Randall <ja...@gmail.com>
> wrote:
>
>> I agree that the use of priv_level is confusing when it is actually
>> referring to object_name (of type TABLE or DATABASE). I don't mind
>> the rolling-up of tbl_name or db_name into object_type, although it
>> then makes object_type: somewhat misleading. "[ON object_type
>> object_name]" reads well for me.
>>
>> Anything to correct the incorrect syntax on the wiki page (it is not
>> open for edits).
>>
>> Thanks
>> Brett
>>
>> On 13 October 2014 18:18, Suhas Gogate <vg...@pivotal.io> wrote:
>> > Hmm.. looking at the syntax priv_level does not seem to be a keyword but
>> > rather actual name of a table or database.. so why it appears like a
>> keyword
>> > Also priv_level is confusing and rather clear syntax would should look
>> like
>> > below...
>> >
>> > Again answer to original question from Brett, yes GRANT syntax should be
>> > similar to REVOKE but rather priv_level should be removed from REVOKE as
>> > well.. :)
>> >
>> > GRANT
>> > priv_type [(column_list)]
>> > [, priv_type [(column_list)]] ...
>> > [ON object_type]
>> > TO principal_specification [, principal_specification] ...
>> > [WITH GRANT OPTION]
>> >
>> > REVOKE [GRANT OPTION FOR]
>> > priv_type [(column_list)]
>> > [, priv_type [(column_list)]] ...
>> > [ON object_type]
>> > FROM principal_specification [, principal_specification] ...
>> >
>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>> > FROM user [, user] ...
>> >
>> > priv_type:
>> > ALL | ALTER | UPDATE | CREATE | DROP
>> > | INDEX | LOCK | SELECT | SHOW_DATABASE
>> >
>> > object_type:
>> > TABLE tbl_name
>> > | DATABASE db_name
>> >
>> > principal_specification:
>> > USER user
>> > | GROUP group
>> > | ROLE role
>> >
>> >
>> > On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz <
>> leftyleverenz@gmail.com>
>> > wrote:
>> >>
>> >> Good catch, Brett. Can we have confirmation from an expert?
>> >>
>> >> Also, is object_type optional?
>> >>
>> >> It isn't clear to me why priv_level isn't called object_name.
>> >>
>> >> -- Lefty
>> >>
>> >> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <ja...@gmail.com>
>> wrote:
>> >>>
>> >>> Hi,
>> >>>
>> >>> On
>> >>>
>> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
>> >>> , GRANT shows as:
>> >>>
>> >>> GRANT
>> >>> priv_type [(column_list)]
>> >>> [, priv_type [(column_list)]] ...
>> >>> [ON object_type]
>> >>> TO principal_specification [, principal_specification] ...
>> >>> [WITH GRANT OPTION]
>> >>>
>> >>> Should that not be [ON object_type priv_level], same as REVOKE, where:
>> >>>
>> >>> object_type:
>> >>> TABLE
>> >>> | DATABASE
>> >>>
>> >>> priv_level:
>> >>> db_name
>> >>> | tbl_name
>> >>>
>> >>> Thanks
>> >>> Brett
>> >>
>> >>
>> >
>>
>
>
Re: DDL wiki GRANT
Posted by Lefty Leverenz <le...@gmail.com>.
I'll correct it as soon as we reach consensus. (Perhaps Thejas will chime
in.)
If you want to do it yourself, you can get wiki edit privilege
<https://cwiki.apache.org/confluence/display/Hive/AboutThisWiki#AboutThisWiki-Howtogetpermissiontoedit>
quite
easily.
-- Lefty
On Tue, Oct 14, 2014 at 7:57 AM, Brett Randall <ja...@gmail.com> wrote:
> I agree that the use of priv_level is confusing when it is actually
> referring to object_name (of type TABLE or DATABASE). I don't mind
> the rolling-up of tbl_name or db_name into object_type, although it
> then makes object_type: somewhat misleading. "[ON object_type
> object_name]" reads well for me.
>
> Anything to correct the incorrect syntax on the wiki page (it is not
> open for edits).
>
> Thanks
> Brett
>
> On 13 October 2014 18:18, Suhas Gogate <vg...@pivotal.io> wrote:
> > Hmm.. looking at the syntax priv_level does not seem to be a keyword but
> > rather actual name of a table or database.. so why it appears like a
> keyword
> > Also priv_level is confusing and rather clear syntax would should look
> like
> > below...
> >
> > Again answer to original question from Brett, yes GRANT syntax should be
> > similar to REVOKE but rather priv_level should be removed from REVOKE as
> > well.. :)
> >
> > GRANT
> > priv_type [(column_list)]
> > [, priv_type [(column_list)]] ...
> > [ON object_type]
> > TO principal_specification [, principal_specification] ...
> > [WITH GRANT OPTION]
> >
> > REVOKE [GRANT OPTION FOR]
> > priv_type [(column_list)]
> > [, priv_type [(column_list)]] ...
> > [ON object_type]
> > FROM principal_specification [, principal_specification] ...
> >
> > REVOKE ALL PRIVILEGES, GRANT OPTION
> > FROM user [, user] ...
> >
> > priv_type:
> > ALL | ALTER | UPDATE | CREATE | DROP
> > | INDEX | LOCK | SELECT | SHOW_DATABASE
> >
> > object_type:
> > TABLE tbl_name
> > | DATABASE db_name
> >
> > principal_specification:
> > USER user
> > | GROUP group
> > | ROLE role
> >
> >
> > On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz <leftyleverenz@gmail.com
> >
> > wrote:
> >>
> >> Good catch, Brett. Can we have confirmation from an expert?
> >>
> >> Also, is object_type optional?
> >>
> >> It isn't clear to me why priv_level isn't called object_name.
> >>
> >> -- Lefty
> >>
> >> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <ja...@gmail.com>
> wrote:
> >>>
> >>> Hi,
> >>>
> >>> On
> >>>
> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
> >>> , GRANT shows as:
> >>>
> >>> GRANT
> >>> priv_type [(column_list)]
> >>> [, priv_type [(column_list)]] ...
> >>> [ON object_type]
> >>> TO principal_specification [, principal_specification] ...
> >>> [WITH GRANT OPTION]
> >>>
> >>> Should that not be [ON object_type priv_level], same as REVOKE, where:
> >>>
> >>> object_type:
> >>> TABLE
> >>> | DATABASE
> >>>
> >>> priv_level:
> >>> db_name
> >>> | tbl_name
> >>>
> >>> Thanks
> >>> Brett
> >>
> >>
> >
>
Re: DDL wiki GRANT
Posted by Brett Randall <ja...@gmail.com>.
I agree that the use of priv_level is confusing when it is actually
referring to object_name (of type TABLE or DATABASE). I don't mind
the rolling-up of tbl_name or db_name into object_type, although it
then makes object_type: somewhat misleading. "[ON object_type
object_name]" reads well for me.
Anything to correct the incorrect syntax on the wiki page (it is not
open for edits).
Thanks
Brett
On 13 October 2014 18:18, Suhas Gogate <vg...@pivotal.io> wrote:
> Hmm.. looking at the syntax priv_level does not seem to be a keyword but
> rather actual name of a table or database.. so why it appears like a keyword
> Also priv_level is confusing and rather clear syntax would should look like
> below...
>
> Again answer to original question from Brett, yes GRANT syntax should be
> similar to REVOKE but rather priv_level should be removed from REVOKE as
> well.. :)
>
> GRANT
> priv_type [(column_list)]
> [, priv_type [(column_list)]] ...
> [ON object_type]
> TO principal_specification [, principal_specification] ...
> [WITH GRANT OPTION]
>
> REVOKE [GRANT OPTION FOR]
> priv_type [(column_list)]
> [, priv_type [(column_list)]] ...
> [ON object_type]
> FROM principal_specification [, principal_specification] ...
>
> REVOKE ALL PRIVILEGES, GRANT OPTION
> FROM user [, user] ...
>
> priv_type:
> ALL | ALTER | UPDATE | CREATE | DROP
> | INDEX | LOCK | SELECT | SHOW_DATABASE
>
> object_type:
> TABLE tbl_name
> | DATABASE db_name
>
> principal_specification:
> USER user
> | GROUP group
> | ROLE role
>
>
> On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz <le...@gmail.com>
> wrote:
>>
>> Good catch, Brett. Can we have confirmation from an expert?
>>
>> Also, is object_type optional?
>>
>> It isn't clear to me why priv_level isn't called object_name.
>>
>> -- Lefty
>>
>> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <ja...@gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> On
>>> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
>>> , GRANT shows as:
>>>
>>> GRANT
>>> priv_type [(column_list)]
>>> [, priv_type [(column_list)]] ...
>>> [ON object_type]
>>> TO principal_specification [, principal_specification] ...
>>> [WITH GRANT OPTION]
>>>
>>> Should that not be [ON object_type priv_level], same as REVOKE, where:
>>>
>>> object_type:
>>> TABLE
>>> | DATABASE
>>>
>>> priv_level:
>>> db_name
>>> | tbl_name
>>>
>>> Thanks
>>> Brett
>>
>>
>
Re: DDL wiki GRANT
Posted by Suhas Gogate <vg...@pivotal.io>.
Hmm.. looking at the syntax priv_level does not seem to be a keyword but
rather actual name of a table or database.. so why it appears like a
keyword Also priv_level is confusing and rather clear syntax would should
look like below...
Again answer to original question from Brett, yes GRANT syntax should be
similar to REVOKE but rather priv_level should be removed from REVOKE as
well.. :)
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_type]
TO principal_specification [, principal_specification] ...
[WITH GRANT OPTION]
REVOKE [GRANT OPTION FOR]
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_type]
FROM principal_specification [, principal_specification] ...
REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user [, user] ...
priv_type:
ALL | ALTER | UPDATE | CREATE | DROP
| INDEX | LOCK | SELECT | SHOW_DATABASE
object_type:
TABLE tbl_name
| DATABASE db_name
principal_specification:
USER user
| GROUP group
| ROLE role
On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz <le...@gmail.com>
wrote:
> Good catch, Brett. Can we have confirmation from an expert?
>
> Also, is object_type optional?
>
> It isn't clear to me why priv_level isn't called object_name.
>
> -- Lefty
>
> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <ja...@gmail.com> wrote:
>
>> Hi,
>>
>> On
>> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
>> , GRANT shows as:
>>
>> GRANT
>> priv_type [(column_list)]
>> [, priv_type [(column_list)]] ...
>> [ON object_type]
>> TO principal_specification [, principal_specification] ...
>> [WITH GRANT OPTION]
>>
>> Should that not be [ON object_type priv_level], same as REVOKE, where:
>>
>> object_type:
>> TABLE
>> | DATABASE
>>
>> priv_level:
>> db_name
>> | tbl_name
>>
>> Thanks
>> Brett
>>
>
>
Re: DDL wiki GRANT
Posted by Lefty Leverenz <le...@gmail.com>.
Good catch, Brett. Can we have confirmation from an expert?
Also, is object_type optional?
It isn't clear to me why priv_level isn't called object_name.
-- Lefty
On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <ja...@gmail.com> wrote:
> Hi,
>
> On
> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
> , GRANT shows as:
>
> GRANT
> priv_type [(column_list)]
> [, priv_type [(column_list)]] ...
> [ON object_type]
> TO principal_specification [, principal_specification] ...
> [WITH GRANT OPTION]
>
> Should that not be [ON object_type priv_level], same as REVOKE, where:
>
> object_type:
> TABLE
> | DATABASE
>
> priv_level:
> db_name
> | tbl_name
>
> Thanks
> Brett
>