You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ta...@apache.org on 2019/06/01 17:27:54 UTC

[impala] 02/03: [DOCS] Added the section on object ownership

This is an automated email from the ASF dual-hosted git repository.

tarmstrong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git

commit d9de31ea439847a9c011c3b3e14f38a8ee0f606b
Author: Alex Rodoni <ar...@cloudera.com>
AuthorDate: Thu May 30 12:18:43 2019 -0700

    [DOCS] Added the section on object ownership
    
    Change-Id: Iff48684f457ef19a27524adfbcc2ae5e098320a3
    Reviewed-on: http://gerrit.cloudera.org:8080/13478
    Tested-by: Impala Public Jenkins <im...@cloudera.com>
    Reviewed-by: Alex Rodoni <ar...@cloudera.com>
---
 docs/topics/impala_authorization.xml | 39 ++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/docs/topics/impala_authorization.xml b/docs/topics/impala_authorization.xml
index c49fa97..f4be80b 100644
--- a/docs/topics/impala_authorization.xml
+++ b/docs/topics/impala_authorization.xml
@@ -106,6 +106,45 @@ under the License.
 
   </concept>
 
+  <concept id="object_ownership">
+
+    <title>Object Ownership in Sentry</title>
+
+    <conbody>
+
+      <p>
+        Impala supports the ownership on databases, tables, and views. The
+        <codeph>CREATE</codeph> statements implicitly make the user running the statement the
+        owner of the object. An owner has the <codeph>OWNER</codeph> privilege if enabled in
+        Sentry. For example, if <varname>User A</varname> creates a database,
+        <varname>foo</varname>, via the <codeph>CREATE DATABASE</codeph> statement,
+        <varname>User A</varname> now owns the <varname>foo</varname> database and is authorized
+        to perform any operation on the <varname>foo</varname> database.
+      </p>
+
+      <p>
+        The <codeph>OWNER</codeph> privilege is not a grantable or revokable privilege whereas
+        the <codeph>ALL</codeph> privilege is explicitly granted via the <codeph>GRANT</codeph>
+        statement.
+      </p>
+
+      <p>
+        The object ownership feature is controlled by a Sentry configuration. The
+        <codeph>OWNER</codeph> privilege is only granted when the feature is enabled in Sentry.
+        When enabled they get the owner privilege, with or without the <codeph>GRANT
+        OPTION</codeph>, which is also controlled by the Sentry configuration.
+      </p>
+
+      <p>
+        An ownership can be transferred to another user or role via the <codeph>ALTER
+        DATABASE</codeph>, <codeph>ALTER TABLE</codeph>, or <codeph>ALTER VIEW</codeph> with the
+        <codeph>SET OWNER</codeph> clause.
+      </p>
+
+    </conbody>
+
+  </concept>
+
   <concept id="secure_startup">
 
     <title>Starting Impala with Sentry Authorization Enabled</title>