GRANT Statement (Impala 2.0 or higher only)
GRANT statement grants roles or privileges on specified objects to groups. Only Sentry
administrative users can grant roles to a group.
GRANT ROLE role_name TO GROUP group_name GRANT privilege ON object_type object_name TO [ROLE] roleName [WITH GRANT OPTION] privilege ::= SELECT | SELECT(column_name) | INSERT | ALL object_type ::= TABLE | DATABASE | SERVER | URI
Typically, the object name is an identifier. For URIs, it is a string literal.
Only administrative users (initially, a predefined set of users specified in the Sentry service configuration file) can use this statement.
WITH GRANT OPTION clause allows members of the specified role to issue
REVOKE statements for those same privileges
Hence, if a role has the
ALL privilege on a database and the
OPTION set, users granted that role can execute
statements only for that database or child tables of the database. This means a user could revoke the
privileges of the user that provided them the
Impala does not currently support revoking only the
WITH GRANT OPTION from a privilege
previously granted to a role. To remove the
WITH GRANT OPTION, revoke the privilege and
grant it again without the
WITH GRANT OPTION flag.
The ability to grant or revoke
SELECT privilege on specific columns is available
in Impala 2.3 and higher. See the documentation for Apache Sentry for details.
REVOKEstatements are available in Impala 2.0 and later.
In Impala 1.4 and later, Impala can make use of any roles and privileges specified by the
REVOKEstatements in Hive, when your system is configured to use the Sentry service instead of the file-based policy mechanism.
REVOKEstatements for privileges do not require the
ROLEkeyword to be repeated before each role name, unlike the equivalent Hive statements.
Currently, each Impala
REVOKEstatement can only grant or revoke a single privilege to or from a single role.
Cancellation: Cannot be cancelled.
HDFS permissions: This statement does not touch any HDFS files or directories, therefore no HDFS permissions are required.
Only users with the
SERVERcan create external Kudu tables.
SERVERis required to specify the
kudu.master_addressesproperty in the
CREATE TABLEstatements for managed tables as well as external tables.
- Access to Kudu tables is enforced at the table level and at the column level.
INSERT-specific permissions are supported.
UPSERToperations require the
Enabling Sentry Authorization for Impala, REVOKE Statement (Impala 2.0 or higher only), CREATE ROLE Statement (Impala 2.0 or higher only), DROP ROLE Statement (Impala 2.0 or higher only), SHOW Statement