You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ta...@apache.org on 2018/04/19 18:12:15 UTC
[4/8] impala git commit: IMPALA-6651: [DOCS] Fine grained privileges
IMPALA-6651: [DOCS] Fine grained privileges
Change-Id: I7b018bf847537ed461df6d9caee99f90b139f8ab
Cherry-picks: not for 2.x.
Reviewed-on: http://gerrit.cloudera.org:8080/10079
Reviewed-by: Alex Behm <al...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
Project: http://git-wip-us.apache.org/repos/asf/impala/repo
Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/22714a7a
Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/22714a7a
Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/22714a7a
Branch: refs/heads/master
Commit: 22714a7ab127b3871aa1cc5c97ff415a48ce2f85
Parents: ddc795d
Author: Alex Rodoni <ar...@cloudera.com>
Authored: Sat Apr 14 08:32:06 2018 -0700
Committer: Impala Public Jenkins <im...@cloudera.com>
Committed: Thu Apr 19 04:30:01 2018 +0000
----------------------------------------------------------------------
docs/topics/impala_grant.xml | 163 +++++++++++++++++++++++++++++++------
docs/topics/impala_revoke.xml | 43 ++++++----
2 files changed, 165 insertions(+), 41 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/impala/blob/22714a7a/docs/topics/impala_grant.xml
----------------------------------------------------------------------
diff --git a/docs/topics/impala_grant.xml b/docs/topics/impala_grant.xml
index 03ad518..956a458 100644
--- a/docs/topics/impala_grant.xml
+++ b/docs/topics/impala_grant.xml
@@ -40,10 +40,9 @@ under the License.
<conbody>
<p rev="2.0.0">
- <indexterm audience="hidden">GRANT statement</indexterm>
-<!-- Copied from Sentry docs. Turn into conref. I did some rewording for clarity. -->
- The <codeph>GRANT</codeph> statement grants roles or privileges on specified objects to groups. Only Sentry
- administrative users can grant roles to a group.
+ <indexterm audience="hidden">GRANT statement</indexterm> The
+ <codeph>GRANT</codeph> statement grants a privilege on a specified object
+ to a role or grants a role to a group.
</p>
<p conref="../shared/impala_common.xml#common/syntax_blurb"/>
@@ -54,8 +53,8 @@ GRANT <varname>privilege</varname> ON <varname>object_type</varname> <varname>ob
TO [ROLE] <varname>roleName</varname>
[WITH GRANT OPTION]
-<ph rev="2.3.0">privilege ::= SELECT | SELECT(<varname>column_name</varname>) | INSERT | ALL</ph>
-object_type ::= TABLE | DATABASE | SERVER | URI
+<ph id="privileges" rev="3.0">privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(<varname>column_name</varname>)</ph>
+<ph id="priv_objs" rev="3.0">object_type ::= TABLE | DATABASE | SERVER | URI</ph>
</codeblock>
<p>
@@ -67,36 +66,148 @@ object_type ::= TABLE | DATABASE | SERVER | URI
<p conref="../shared/impala_common.xml#common/privileges_blurb"/>
<p>
-<!-- To do: The wording here can be fluid, and it's reused in several statements. Turn into a conref. -->
- Only administrative users (initially, a predefined set of users specified in the Sentry service configuration
- file) can use this statement.
+ Only administrative users (initially, a predefined set of users
+ specified in the Sentry service configuration file) can use this
+ statement.
</p>
+ <p>Only Sentry administrative users can grant roles to a group. </p>
+
+ <p> The <codeph>WITH GRANT OPTION</codeph> clause allows members of the
+ specified role to issue <codeph>GRANT</codeph> and <codeph>REVOKE</codeph>
+ statements for those same privileges Hence, if a role has the
+ <codeph>ALL</codeph> privilege on a database and the <codeph>WITH GRANT
+ OPTION</codeph> set, users granted that role can execute
+ <codeph>GRANT</codeph>/<codeph>REVOKE</codeph> statements only for that
+ database or child tables of the database. This means a user could revoke
+ the privileges of the user that provided them the <codeph>GRANT
+ OPTION</codeph>. </p>
+
+ <p> Impala does not currently support revoking only the <codeph>WITH GRANT
+ OPTION</codeph> from a privilege previously granted to a role. To remove
+ the <codeph>WITH GRANT OPTION</codeph>, revoke the privilege and grant it
+ again without the <codeph>WITH GRANT OPTION</codeph> flag. </p>
+ <p rev="2.3.0 collevelauth">
+ The ability to grant or revoke <codeph>SELECT</codeph> privilege on specific columns is available
+ in <keyword keyref="impala23_full"/> and higher. See <xref keyref="sg_hive_sql"/> for details.
+ </p>
<p>
- The <codeph>WITH GRANT OPTION</codeph> clause allows members of the specified role to issue
- <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements for those same privileges
-<!-- Copied from Sentry docs. Turn into conref. I did some rewording for clarity. -->
- Hence, if a role has the <codeph>ALL</codeph> privilege on a database and the <codeph>WITH GRANT
- OPTION</codeph> set, users granted that role can execute <codeph>GRANT</codeph>/<codeph>REVOKE</codeph>
- statements only for that database or child tables of the database. This means a user could revoke the
- privileges of the user that provided them the <codeph>GRANT OPTION</codeph>.
+ <b>Usage notes:</b>
</p>
<p>
-<!-- Copied from Sentry docs. Turn into conref. Except I changed Hive to Impala. -->
- Impala does not currently support revoking only the <codeph>WITH GRANT OPTION</codeph> from a privilege
- previously granted to a role. To remove the <codeph>WITH GRANT OPTION</codeph>, revoke the privilege and
- grant it again without the <codeph>WITH GRANT OPTION</codeph> flag.
+ You can only grant the <codeph>ALL</codeph> privilege to the
+ <codeph>URI</codeph> object. Finer-grained privileges mentioned below on
+ a <codeph>URI</codeph> are not supported.
</p>
- <p rev="2.3.0 collevelauth">
- The ability to grant or revoke <codeph>SELECT</codeph> privilege on specific columns is available
- in <keyword keyref="impala23_full"/> and higher. See <xref keyref="sg_hive_sql"/> for details.
+ <p>
+ Starting in <keyword keyref="impala30_full"/>, finer grained privileges
+ are enforced as below.<simpletable frame="all" relcolwidth="1* 1* 1*"
+ id="simpletable_kmb_ppn_ndb">
+ <sthead>
+ <stentry>Privilege</stentry>
+ <stentry>Scope</stentry>
+ <stentry>SQL Allowed to Execute</stentry>
+ </sthead>
+ <strow>
+ <stentry><codeph>REFRESH</codeph></stentry>
+ <stentry><codeph>SERVER</codeph></stentry>
+ <stentry><codeph>INVALIDATE METADATA</codeph> on all tables in all
+ databases<p><codeph>REFRESH</codeph> on all tables and functions
+ in all databases</p></stentry>
+ </strow>
+ <strow>
+ <stentry><codeph>REFRESH</codeph></stentry>
+ <stentry><codeph>DATABASE</codeph></stentry>
+ <stentry><codeph>INVALIDATE METADATA</codeph> on all tables in the
+ named database<p><codeph>REFRESH</codeph> on all tables and
+ functions in the named database</p></stentry>
+ </strow>
+ <strow>
+ <stentry><codeph>REFRESH</codeph></stentry>
+ <stentry><codeph>TABLE</codeph></stentry>
+ <stentry><codeph>INVALIDATE METADATA</codeph> on the named
+ table<p><codeph>REFRESH</codeph> on the named
+ table</p></stentry>
+ </strow>
+ <strow>
+ <stentry><codeph>CREATE</codeph></stentry>
+ <stentry><codeph>SERVER</codeph></stentry>
+ <stentry><codeph>CREATE DATABASE</codeph> on all
+ databases<p><codeph>CREATE TABLE</codeph> on all
+ tables</p></stentry>
+ </strow>
+ <strow>
+ <stentry><codeph>CREATE</codeph></stentry>
+ <stentry><codeph>DATABASE</codeph></stentry>
+ <stentry><codeph>CREATE TABLE</codeph> on all tables in the named
+ database</stentry>
+ </strow>
+ <strow>
+ <stentry><codeph>DROP</codeph></stentry>
+ <stentry><codeph>SERVER</codeph></stentry>
+ <stentry><codeph>DROP DATBASE</codeph> on all databases<p><codeph>DROP
+ TABLE</codeph> on all tables</p></stentry>
+ </strow>
+ <strow>
+ <stentry><codeph>DROP</codeph></stentry>
+ <stentry><codeph>DATABASE</codeph></stentry>
+ <stentry><codeph>DROP DATABASE</codeph> on the named
+ database<p><codeph>DROP TABLE</codeph> on all tables in the
+ named database</p></stentry>
+ </strow>
+ <strow>
+ <stentry><codeph>DROP</codeph></stentry>
+ <stentry><codeph>TABLE</codeph></stentry>
+ <stentry><codeph>DROP TABLE</codeph> on the named table</stentry>
+ </strow>
+ <strow>
+ <stentry><codeph>ALTER</codeph></stentry>
+ <stentry><codeph>SERVER</codeph></stentry>
+ <stentry><codeph>ALTER TABLE</codeph> on all tables</stentry>
+ </strow>
+ <strow>
+ <stentry><codeph>ALTER</codeph></stentry>
+ <stentry><codeph>DATABASE</codeph></stentry>
+ <stentry><codeph>ALTER TABLE</codeph> on the tables in the named
+ database</stentry>
+ </strow>
+ <strow>
+ <stentry><codeph>ALTER</codeph></stentry>
+ <stentry><codeph>TABLE</codeph></stentry>
+ <stentry><codeph>ALTER TABLE</codeph> on the named table</stentry>
+ </strow>
+ </simpletable>
</p>
-<!-- Turn compatibility info into a conref or series of conrefs. (In both GRANT and REVOKE.) -->
-
-<!-- If they diverge during development, consider the version here in GRANT the authoritative one. -->
+ <p>
+ <note>
+ <p>
+ <ul>
+ <li>
+ <codeph>ALTER TABLE RENAME</codeph> requires the
+ <codeph>ALTER</codeph> privilege at the <codeph>TABLE</codeph>
+ level and the <codeph>CREATE</codeph> privilege at the
+ <codeph>DATABASE</codeph> level.
+ </li>
+
+ <li>
+ <codeph>CREATE TABLE AS SELECT</codeph> requires the
+ <codeph>CREATE</codeph> privilege on the database that should
+ contain the new table and the <codeph>SELECT</codeph> privilege on
+ the tables referenced in the query portion of the statement.
+ </li>
+
+ <li>
+ <codeph>COMPUTE STATS</codeph> requires the
+ <codeph>ALTER</codeph> and <codeph>SELECT</codeph> privileges on
+ the target table.
+ </li>
+ </ul>
+ </p>
+ </note>
+ </p>
<p conref="../shared/impala_common.xml#common/compatibility_blurb"/>
http://git-wip-us.apache.org/repos/asf/impala/blob/22714a7a/docs/topics/impala_revoke.xml
----------------------------------------------------------------------
diff --git a/docs/topics/impala_revoke.xml b/docs/topics/impala_revoke.xml
index 78eda00..4c997f8 100644
--- a/docs/topics/impala_revoke.xml
+++ b/docs/topics/impala_revoke.xml
@@ -40,12 +40,8 @@ under the License.
<conbody>
<p rev="2.0.0">
- <indexterm audience="hidden">REVOKE statement</indexterm>
-<!-- Copied from Sentry docs. Turn into conref. I did some rewording for clarity. -->
- The <codeph>REVOKE</codeph> statement revokes roles or privileges on a specified object from groups. Only
- Sentry administrative users can revoke the role from a group. The revocation has a cascading effect. For
- example, revoking the <codeph>ALL</codeph> privilege on a database also revokes the same privilege for all
- the tables in that database.
+ The <codeph>REVOKE</codeph> statement revokes roles or
+ privileges on a specified object from groups.
</p>
<p conref="../shared/impala_common.xml#common/syntax_blurb"/>
@@ -55,11 +51,29 @@ under the License.
REVOKE <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname>
FROM [ROLE] <varname>role_name</varname>
-<ph rev="2.3.0">privilege ::= SELECT | SELECT(<varname>column_name</varname>) | INSERT | ALL</ph>
-object_type ::= TABLE | DATABASE | SERVER | URI
+<ph rev="3.0">
+ privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(<varname>column_name</varname>)
+</ph>
+<ph rev="3.0">
+ object_type ::= TABLE | DATABASE | SERVER | URI
+</ph>
</codeblock>
<p>
+ See <keyword keyref="grant"/> for the required privileges and the scope
+ for SQL operations.
+ </p>
+
+ <p>
+ The <codeph>ALL</codeph> privilege is a distinct privilege and not a
+ union of all other privileges. Revoking <codeph>SELECT</codeph>,
+ <codeph>INSERT</codeph>, etc. from a role that only has the
+ <codeph>ALL</codeph> privilege has no effect. To reduce the privileges
+ of that role you must <codeph>REVOKE ALL</codeph> and
+ <codeph>GRANT</codeph> the desired privileges.
+ </p>
+
+ <p>
Typically, the object name is an identifier. For URIs, it is a string literal.
</p>
@@ -75,16 +89,15 @@ object_type ::= TABLE | DATABASE | SERVER | URI
Only administrative users (those with <codeph>ALL</codeph> privileges on the server, defined in the Sentry
policy file) can use this statement.
</p>
-
-<!-- Turn compatibility info into a conref or series of conrefs. (In both GRANT and REVOKE.) -->
+ <p>Only Sentry administrative users can revoke the role from a group.</p>
<p conref="../shared/impala_common.xml#common/compatibility_blurb"/>
<p>
<ul>
<li>
- The Impala <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements are available in <keyword keyref="impala20_full"/> and
- higher.
+ The <codeph>REVOKE</codeph> statements are available in <keyword
+ keyref="impala20_full"/> and higher.
</li>
<li>
@@ -94,9 +107,9 @@ object_type ::= TABLE | DATABASE | SERVER | URI
</li>
<li>
- The Impala <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements do not require the
- <codeph>ROLE</codeph> keyword to be repeated before each role name, unlike the equivalent Hive
- statements.
+ The Impala <codeph>REVOKE</codeph> statements do not require the
+ <codeph>ROLE</codeph> keyword to be repeated before each role name,
+ unlike the equivalent Hive statements.
</li>
<li conref="../shared/impala_common.xml#common/grant_revoke_single"/>