GRANT Statement (Impala 2.0 or higher only)
The GRANT statement grants a privilege on a specified object to a role,
to a user, or to a group. The statement is also used to grant a role to a group.
Syntax:
The following syntax are supported in Impala through Ranger to manage authorization.
GRANT ROLE TO GROUP
For GRANT ROLE TO GROUP, only Ranger administrative users can grant roles to a group.
GRANT ROLE role_name TO GROUP group_nameGRANT privilege ON object TO PRINCIPAL
For GRANT privilege ON object TO principal (a user, a group, or a role), Ranger administrative users can use this statement. If the privilege is granted with the clause of WITH GRANT OPTION, the grantee (the user, the users belonging to the group, or the users belonging to the group granted the role) is able to grant the privilege to other principals.
GRANT privilege ON object_type object_name
TO USER user_name
GRANT privilege ON object_type object_name
TO GROUP group_name
GRANT privilege ON object_type object_name
TO ROLE role_name
privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(column_name)
object_type ::= SERVER | URI | DATABASE | TABLE
Typically, the object_name is an identifier. For URIs,
it is a string literal.
Required privileges:
Only administrative users for Ranger can use this statement.
Only Ranger administrative users can grant roles to a group.
The WITH GRANT OPTION clause allows members of the specified role to issue
GRANT and REVOKE statements for those same privileges.
Hence, if a role has the ALL privilege on a database and the WITH
GRANT OPTION set, users granted that role can execute
GRANT/REVOKE statements only for that database or child
tables of the database. This means a user could revoke the privileges of the user that
provided them the GRANT OPTION.
The ability to grant or revoke SELECT privilege on specific columns is
available in Impala 2.3 and higher. See
the documentation for Apache Sentry for details.
Usage notes:
You can only grant the ALL privilege to the URI object.
Finer-grained privileges mentioned below on a URI are not supported.
- The SERVER resource type in Ranger implies all databases, all tables, all columns, all UDFs, and all URIs.
-
ANY denotes the
SELECT,INSERT,CREATE,ALTER,DROP, orREFRESHprivilege. -
ALL privilege denotes the
SELECT,INSERT,CREATE,ALTER,DROP, andREFRESHprivileges. - The owner of an object effectively has the ALL privilege on the object.
-
The parent levels of the specified scope are implicitly supported where a scope
refers to the specific level in the object hierarchy that the privilege is granted.
For example, if a privilege is listed with the
TABLEscope, the same privilege granted onDATABASEandSERVERwill allow the user to execute the specified SQL statement.
| SQL Statement | Privileges |
Object Type / Resource Type |
| SELECT | SELECT | TABLE |
| WITH SELECT | SELECT | TABLE |
| EXPLAIN SELECT | SELECT | TABLE |
| INSERT | INSERT | TABLE |
| EXPLAIN INSERT | INSERT | TABLE |
| TRUNCATE | INSERT | TABLE |
| LOAD | INSERT | TABLE |
| ALL | URI | |
| CREATE DATABASE | CREATE | SERVER |
| CREATE DATABASE LOCATION | CREATE | SERVER |
| ALL | URI | |
| CREATE TABLE | CREATE | DATABASE |
| CREATE TABLE LIKE | CREATE | DATABASE |
| SELECT, INSERT, or REFRESH | TABLE | |
| CREATE TABLE AS SELECT | CREATE | DATABASE |
| INSERT | DATABASE | |
| SELECT | TABLE | |
| EXPLAIN CREATE TABLE AS SELECT | CREATE | DATABASE |
| INSERT | DATABASE | |
| SELECT | TABLE | |
| CREATE TABLE LOCATION | CREATE | TABLE |
| ALL | URI | |
| CREATE VIEW | CREATE | DATABASE |
| SELECT | TABLE | |
| ALTER DATABASE SET OWNER | ALL WITH GRANT | DATABASE |
| ALTER TABLE | ALTER | TABLE |
| ALTER TABLE SET LOCATION | ALTER | TABLE |
| ALL | URI | |
| ALTER TABLE RENAME | CREATE | DATABASE |
| ALL | TABLE | |
| ALTER TABLE SET OWNER | ALL WITH GRANT | TABLE |
| ALTER VIEW | ALTER | TABLE |
| SELECT | TABLE | |
| ALTER VIEW RENAME | CREATE | DATABASE |
| ALL | TABLE | |
| ALTER VIEW SET OWNER | ALL WITH GRANT | VIEW |
| DROP DATABASE | DROP | DATABASE |
| DROP TABLE | DROP | TABLE |
| DROP VIEW | DROP | TABLE |
| CREATE FUNCTION | CREATE | DATABASE |
| ALL | URI | |
| DROP FUNCTION | DROP | DATABASE |
| COMPUTE STATS | ALTER and SELECT | TABLE |
| DROP STATS | ALTER | TABLE |
| INVALIDATE METADATA | REFRESH | SERVER |
| INVALIDATE METADATA <table> | REFRESH | TABLE |
| REFRESH <table> | REFRESH | TABLE |
| REFRESH AUTHORIZATION | REFRESH | SERVER |
| REFRESH FUNCTIONS | REFRESH | DATABASE |
| COMMENT ON DATABASE | ALTER | DATABASE |
| COMMENT ON TABLE | ALTER | TABLE |
| COMMENT ON VIEW | ALTER | TABLE |
| COMMENT ON COLUMN | ALTER | TABLE |
| DESCRIBE DATABASE | SELECT, INSERT, or REFRESH | DATABASE |
| DESCRIBE <table/view> | SELECT, INSERT, or REFRESH | TABLE |
| If the user has the SELECT privilege at the COLUMN level, only the columns the user has access will show. | SELECT | COLUMN |
| USE | ANY | TABLE |
| SHOW DATABASES | ANY | TABLE |
| SHOW TABLES | ANY | TABLE |
| SHOW FUNCTIONS | SELECT, INSERT, or REFRESH | DATABASE |
| SHOW PARTITIONS | SELECT, INSERT, or REFRESH | TABLE |
| SHOW TABLE STATS | SELECT, INSERT, or REFRESH | TABLE |
| SHOW COLUMN STATS | SELECT, INSERT, or REFRESH | TABLE |
| SHOW FILES | SELECT, INSERT, or REFRESH | TABLE |
| SHOW CREATE TABLE | SELECT, INSERT, or REFRESH | TABLE |
| SHOW CREATE VIEW | SELECT, INSERT, or REFRESH | TABLE |
| SHOW CREATE FUNCTION | SELECT, INSERT, or REFRESH | DATABASE |
| SHOW RANGE PARTITIONS (Kudu only) | SELECT, INSERT, or REFRESH | TABLE |
| UPDATE (Kudu only) | ALL | TABLE |
| EXPLAIN UPDATE (Kudu only) | ALL | TABLE |
| UPSERT (Kudu only) | ALL | TABLE |
| WITH UPSERT (Kudu only) | ALL | TABLE |
| EXPLAIN UPSERT (Kudu only) | ALL | TABLE |
| DELETE (Kudu only) | ALL | TABLE |
| EXPLAIN DELETE (Kudu only) | ALL | TABLE |
Compatibility:
-
The Impala
GRANTandREVOKEstatements are available in Impala 2.0 and later. -
In general, Impala can make use of any roles and privileges specified by the
GRANTandREVOKEstatements in Hive, when your system is configured to use the Ranger service instead of the file-based policy mechanism. -
Currently, each Impala
GRANTorREVOKEstatement can only grant or revoke a single privilege to or from a single role.
Cancellation: Cannot be cancelled.
HDFS permissions: This statement does not touch any HDFS files or directories, therefore no HDFS permissions are required.
Kudu considerations:
- Only users with the
ALLprivilege onSERVERcan create external Kudu tables. - The
ALLprivileges onSERVERis required to specify thekudu.master_addressesproperty in theCREATE TABLEstatements for managed tables as well as external tables. - Access to Kudu tables is enforced at the table level and at the column level.
- The
SELECT- andINSERT-specific permissions are supported. - The
DELETE,UPDATE, andUPSERToperations require theALLprivilege.
Related information:
Impala Authorization, REVOKE Statement (Impala 2.0 or higher only), CREATE ROLE Statement (Impala 2.0 or higher only), DROP ROLE Statement (Impala 2.0 or higher only), SHOW Statement