| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| <!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd"> |
| <concept rev="2.0.0" id="grant"> |
| |
| <title>GRANT Statement (<keyword keyref="impala20"/> or higher only)</title> |
| <titlealts audience="PDF"><navtitle>GRANT</navtitle></titlealts> |
| <prolog> |
| <metadata> |
| <data name="Category" value="Impala"/> |
| <data name="Category" value="DDL"/> |
| <data name="Category" value="SQL"/> |
| <data name="Category" value="Security"/> |
| <data name="Category" value="Sentry"/> |
| <data name="Category" value="Roles"/> |
| <data name="Category" value="Administrators"/> |
| <data name="Category" value="Developers"/> |
| <data name="Category" value="Data Analysts"/> |
| <!-- Consider whether to go deeper into categories like Security for the Sentry-related statements. --> |
| </metadata> |
| </prolog> |
| |
| <conbody> |
| |
| <p rev="2.0.0"> |
| <indexterm audience="hidden">GRANT statement</indexterm> The |
| <codeph>GRANT</codeph> statement grants a privilege on a specified object |
| to a role or grants a role to a group. |
| </p> |
| |
| <p conref="../shared/impala_common.xml#common/syntax_blurb"/> |
| |
| <codeblock rev="2.3.0 collevelauth">GRANT ROLE <varname>role_name</varname> TO GROUP <varname>group_name</varname> |
| |
| GRANT <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname> |
| TO [ROLE] <varname>roleName</varname> |
| [WITH GRANT OPTION] |
| |
| <ph id="privileges" rev="3.0">privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(<varname>column_name</varname>)</ph> |
| <ph id="priv_objs" rev="3.0">object_type ::= TABLE | DATABASE | SERVER | URI</ph> |
| </codeblock> |
| |
| <p> |
| Typically, the object name is an identifier. For URIs, it is a string literal. |
| </p> |
| |
| <!-- Turn privilege info into a conref or series of conrefs. (In both GRANT and REVOKE.) --> |
| |
| <p conref="../shared/impala_common.xml#common/privileges_blurb"/> |
| |
| <p> |
| Only administrative users (initially, a predefined set of users |
| specified in the Sentry service configuration file) can use this |
| statement. |
| </p> |
| <p>Only Sentry administrative users can grant roles to a group. </p> |
| |
| <p> The <codeph>WITH GRANT OPTION</codeph> clause allows members of the |
| specified role to issue <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> |
| statements for those same privileges Hence, if a role has the |
| <codeph>ALL</codeph> privilege on a database and the <codeph>WITH GRANT |
| OPTION</codeph> set, users granted that role can execute |
| <codeph>GRANT</codeph>/<codeph>REVOKE</codeph> statements only for that |
| database or child tables of the database. This means a user could revoke |
| the privileges of the user that provided them the <codeph>GRANT |
| OPTION</codeph>. </p> |
| |
| <p> Impala does not currently support revoking only the <codeph>WITH GRANT |
| OPTION</codeph> from a privilege previously granted to a role. To remove |
| the <codeph>WITH GRANT OPTION</codeph>, revoke the privilege and grant it |
| again without the <codeph>WITH GRANT OPTION</codeph> flag. </p> |
| |
| <p rev="2.3.0 collevelauth"> |
| The ability to grant or revoke <codeph>SELECT</codeph> privilege on specific columns is available |
| in <keyword keyref="impala23_full"/> and higher. See <xref keyref="sg_hive_sql"/> for details. |
| </p> |
| <p> |
| <b>Usage notes:</b> |
| </p> |
| |
| <p> |
| You can only grant the <codeph>ALL</codeph> privilege to the |
| <codeph>URI</codeph> object. Finer-grained privileges mentioned below on |
| a <codeph>URI</codeph> are not supported. |
| </p> |
| |
| <p> |
| Starting in <keyword keyref="impala30_full"/>, finer grained privileges |
| are enforced as below.<simpletable frame="all" relcolwidth="1* 1* 1*" |
| id="simpletable_kmb_ppn_ndb"> |
| <sthead> |
| <stentry>Privilege</stentry> |
| <stentry>Scope</stentry> |
| <stentry>SQL Allowed to Execute</stentry> |
| </sthead> |
| <strow> |
| <stentry><codeph>REFRESH</codeph></stentry> |
| <stentry><codeph>SERVER</codeph></stentry> |
| <stentry><codeph>INVALIDATE METADATA</codeph> on all tables in all |
| databases<p><codeph>REFRESH</codeph> on all tables and functions |
| in all databases</p></stentry> |
| </strow> |
| <strow> |
| <stentry><codeph>REFRESH</codeph></stentry> |
| <stentry><codeph>DATABASE</codeph></stentry> |
| <stentry><codeph>INVALIDATE METADATA</codeph> on all tables in the |
| named database<p><codeph>REFRESH</codeph> on all tables and |
| functions in the named database</p></stentry> |
| </strow> |
| <strow> |
| <stentry><codeph>REFRESH</codeph></stentry> |
| <stentry><codeph>TABLE</codeph></stentry> |
| <stentry><codeph>INVALIDATE METADATA</codeph> on the named |
| table<p><codeph>REFRESH</codeph> on the named |
| table</p></stentry> |
| </strow> |
| <strow> |
| <stentry><codeph>CREATE</codeph></stentry> |
| <stentry><codeph>SERVER</codeph></stentry> |
| <stentry><codeph>CREATE DATABASE</codeph> on all |
| databases<p><codeph>CREATE TABLE</codeph> on all |
| tables</p></stentry> |
| </strow> |
| <strow> |
| <stentry><codeph>CREATE</codeph></stentry> |
| <stentry><codeph>DATABASE</codeph></stentry> |
| <stentry><codeph>CREATE TABLE</codeph> on all tables in the named |
| database</stentry> |
| </strow> |
| <strow> |
| <stentry><codeph>DROP</codeph></stentry> |
| <stentry><codeph>SERVER</codeph></stentry> |
| <stentry><codeph>DROP DATBASE</codeph> on all databases<p><codeph>DROP |
| TABLE</codeph> on all tables</p></stentry> |
| </strow> |
| <strow> |
| <stentry><codeph>DROP</codeph></stentry> |
| <stentry><codeph>DATABASE</codeph></stentry> |
| <stentry><codeph>DROP DATABASE</codeph> on the named |
| database<p><codeph>DROP TABLE</codeph> on all tables in the |
| named database</p></stentry> |
| </strow> |
| <strow> |
| <stentry><codeph>DROP</codeph></stentry> |
| <stentry><codeph>TABLE</codeph></stentry> |
| <stentry><codeph>DROP TABLE</codeph> on the named table</stentry> |
| </strow> |
| <strow> |
| <stentry><codeph>ALTER</codeph></stentry> |
| <stentry><codeph>SERVER</codeph></stentry> |
| <stentry><codeph>ALTER TABLE</codeph> on all tables</stentry> |
| </strow> |
| <strow> |
| <stentry><codeph>ALTER</codeph></stentry> |
| <stentry><codeph>DATABASE</codeph></stentry> |
| <stentry><codeph>ALTER TABLE</codeph> on the tables in the named |
| database</stentry> |
| </strow> |
| <strow> |
| <stentry><codeph>ALTER</codeph></stentry> |
| <stentry><codeph>TABLE</codeph></stentry> |
| <stentry><codeph>ALTER TABLE</codeph> on the named table</stentry> |
| </strow> |
| </simpletable> |
| </p> |
| |
| <p> |
| <note> |
| <p> |
| <ul> |
| <li> |
| <codeph>ALTER TABLE RENAME</codeph> requires the |
| <codeph>ALTER</codeph> privilege at the <codeph>TABLE</codeph> |
| level and the <codeph>CREATE</codeph> privilege at the |
| <codeph>DATABASE</codeph> level. |
| </li> |
| |
| <li> |
| <codeph>CREATE TABLE AS SELECT</codeph> requires the |
| <codeph>CREATE</codeph> privilege on the database that should |
| contain the new table and the <codeph>SELECT</codeph> privilege on |
| the tables referenced in the query portion of the statement. |
| </li> |
| |
| <li> |
| <codeph>COMPUTE STATS</codeph> requires the |
| <codeph>ALTER</codeph> and <codeph>SELECT</codeph> privileges on |
| the target table. |
| </li> |
| </ul> |
| </p> |
| </note> |
| </p> |
| |
| <p conref="../shared/impala_common.xml#common/compatibility_blurb"/> |
| |
| <p> |
| <ul> |
| <li> |
| The Impala <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements are available in |
| <keyword keyref="impala20_full"/> and later. |
| </li> |
| |
| <li> |
| In <keyword keyref="impala14_full"/> and later, Impala can make use of any roles and privileges specified by the |
| <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements in Hive, when your system is configured to |
| use the Sentry service instead of the file-based policy mechanism. |
| </li> |
| |
| <li> |
| The Impala <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements for privileges do not require |
| the <codeph>ROLE</codeph> keyword to be repeated before each role name, unlike the equivalent Hive |
| statements. |
| </li> |
| |
| <li conref="../shared/impala_common.xml#common/grant_revoke_single"/> |
| </ul> |
| </p> |
| |
| <p conref="../shared/impala_common.xml#common/cancel_blurb_no"/> |
| |
| <p conref="../shared/impala_common.xml#common/permissions_blurb_no"/> |
| |
| <p conref="../shared/impala_common.xml#common/kudu_blurb"/> |
| <p conref="../shared/impala_common.xml#common/kudu_sentry_limitations"/> |
| |
| <p conref="../shared/impala_common.xml#common/related_info"/> |
| |
| <p> |
| <xref href="impala_authorization.xml#authorization"/>, <xref href="impala_revoke.xml#revoke"/>, |
| <xref href="impala_create_role.xml#create_role"/>, <xref href="impala_drop_role.xml#drop_role"/>, |
| <xref href="impala_show.xml#show"/> |
| </p> |
| </conbody> |
| </concept> |