hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lefty Leverenz <leftylever...@gmail.com>
Subject Re: DDL wiki GRANT
Date Wed, 15 Oct 2014 03:45:13 GMT
Looks good, except that you forgot to change the GRANT syntax
<https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges>
-- it still says object_type.

-- Lefty

On Tue, Oct 14, 2014 at 11:41 PM, Suhas Gogate <vgogate@pivotal.io> wrote:

> Lefty/Brett,  I did change the wiki.. check if it looks okay.  --Suhas
>
> On Tue, Oct 14, 2014 at 7:34 PM, Lefty Leverenz <leftyleverenz@gmail.com>
> wrote:
>
>> One question remains:  in object_specification, are the keywords TABLE
>> and DATABASE optional?
>>
>> At least for TABLE I've seen queries in the test suite that omitted it,
>> but that was probably for SQL standards based authorization.  So I guess we
>> should assume TABLE and DATABASE are required unless someone says otherwise.
>>
>> -- Lefty
>>
>> On Tue, Oct 14, 2014 at 4:48 PM, Lefty Leverenz <leftyleverenz@gmail.com>
>> wrote:
>>
>>> +1
>>>
>>> -- Lefty
>>>
>>> On Tue, Oct 14, 2014 at 4:37 PM, Brett Randall <javabrett@gmail.com>
>>> wrote:
>>>
>>>> +1
>>>>
>>>> On 15 October 2014 07:23, Suhas Gogate <vgogate@pivotal.io> wrote:
>>>> > Agree w/ Brett.. so may be instead of "object_type", we can use
>>>> > "object_specification" (similar to principal specification)?
>>>> >
>>>> > GRANT
>>>> >     priv_type [(column_list)]
>>>> >       [, priv_type [(column_list)]] ...
>>>> >     [ON object_specification]
>>>> >     TO principal_specification [, principal_specification] ...
>>>> >     [WITH GRANT OPTION]
>>>> >
>>>> > REVOKE [GRANT OPTION FOR]
>>>> >     priv_type [(column_list)]
>>>> >       [, priv_type [(column_list)]] ...
>>>> >     [ON object_specification]
>>>> >     FROM principal_specification [, principal_specification] ...
>>>> >
>>>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>>> >     FROM user [, user] ...
>>>> >
>>>> > priv_type:
>>>> >     ALL | ALTER | UPDATE | CREATE | DROP
>>>> >   | INDEX | LOCK | SELECT | SHOW_DATABASE
>>>> >
>>>> > object_specification:
>>>> >     TABLE tbl_name |
>>>> >     DATABASE db_name
>>>> >
>>>> > principal_specification:
>>>> >     USER user
>>>> >   | GROUP group
>>>> >   | ROLE role
>>>> >
>>>> >
>>>> > On Tue, Oct 14, 2014 at 11:06 AM, Lefty Leverenz <
>>>> leftyleverenz@gmail.com>
>>>> > wrote:
>>>> >>
>>>> >> I'll correct it as soon as we reach consensus.  (Perhaps Thejas
will
>>>> chime
>>>> >> in.)
>>>> >>
>>>> >> If you want to do it yourself, you can get wiki edit privilege quite
>>>> >> easily.
>>>> >>
>>>> >> -- Lefty
>>>> >>
>>>> >> On Tue, Oct 14, 2014 at 7:57 AM, Brett Randall <javabrett@gmail.com>
>>>> >> wrote:
>>>> >>>
>>>> >>> I agree that the use of priv_level is confusing when it is actually
>>>> >>> referring to object_name (of type TABLE or DATABASE).  I don't
mind
>>>> >>> the rolling-up of tbl_name or db_name into object_type, although
it
>>>> >>> then makes object_type: somewhat misleading.  "[ON object_type
>>>> >>> object_name]" reads well for me.
>>>> >>>
>>>> >>> Anything to correct the incorrect syntax on the wiki page (it
is not
>>>> >>> open for edits).
>>>> >>>
>>>> >>> Thanks
>>>> >>> Brett
>>>> >>>
>>>> >>> On 13 October 2014 18:18, Suhas Gogate <vgogate@pivotal.io>
wrote:
>>>> >>> > Hmm.. looking at the syntax priv_level does not seem to
be a
>>>> keyword
>>>> >>> > but
>>>> >>> > rather actual name of a table or database.. so why it appears
>>>> like a
>>>> >>> > keyword
>>>> >>> > Also priv_level is confusing and rather clear syntax would
should
>>>> look
>>>> >>> > like
>>>> >>> > below...
>>>> >>> >
>>>> >>> > Again answer to original question from Brett, yes GRANT
syntax
>>>> should
>>>> >>> > be
>>>> >>> > similar to REVOKE but rather priv_level should be removed
from
>>>> REVOKE
>>>> >>> > as
>>>> >>> > well.. :)
>>>> >>> >
>>>> >>> > GRANT
>>>> >>> >     priv_type [(column_list)]
>>>> >>> >       [, priv_type [(column_list)]] ...
>>>> >>> >     [ON object_type]
>>>> >>> >     TO principal_specification [, principal_specification]
...
>>>> >>> >     [WITH GRANT OPTION]
>>>> >>> >
>>>> >>> > REVOKE [GRANT OPTION FOR]
>>>> >>> >     priv_type [(column_list)]
>>>> >>> >       [, priv_type [(column_list)]] ...
>>>> >>> >     [ON object_type]
>>>> >>> >     FROM principal_specification [, principal_specification]
...
>>>> >>> >
>>>> >>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>>> >>> >     FROM user [, user] ...
>>>> >>> >
>>>> >>> > priv_type:
>>>> >>> >     ALL | ALTER | UPDATE | CREATE | DROP
>>>> >>> >   | INDEX | LOCK | SELECT | SHOW_DATABASE
>>>> >>> >
>>>> >>> > object_type:
>>>> >>> >     TABLE tbl_name
>>>> >>> >   | DATABASE db_name
>>>> >>> >
>>>> >>> > principal_specification:
>>>> >>> >     USER user
>>>> >>> >   | GROUP group
>>>> >>> >   | ROLE role
>>>> >>> >
>>>> >>> >
>>>> >>> > On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz
>>>> >>> > <leftyleverenz@gmail.com>
>>>> >>> > wrote:
>>>> >>> >>
>>>> >>> >> Good catch, Brett.  Can we have confirmation from an
expert?
>>>> >>> >>
>>>> >>> >> Also, is object_type optional?
>>>> >>> >>
>>>> >>> >> It isn't clear to me why priv_level isn't called object_name.
>>>> >>> >>
>>>> >>> >> -- Lefty
>>>> >>> >>
>>>> >>> >> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <
>>>> javabrett@gmail.com>
>>>> >>> >> wrote:
>>>> >>> >>>
>>>> >>> >>> Hi,
>>>> >>> >>>
>>>> >>> >>> On
>>>> >>> >>>
>>>> >>> >>>
>>>> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
>>>> >>> >>> , GRANT shows as:
>>>> >>> >>>
>>>> >>> >>> GRANT
>>>> >>> >>>     priv_type [(column_list)]
>>>> >>> >>>       [, priv_type [(column_list)]] ...
>>>> >>> >>>     [ON object_type]
>>>> >>> >>>     TO principal_specification [, principal_specification]
...
>>>> >>> >>>     [WITH GRANT OPTION]
>>>> >>> >>>
>>>> >>> >>> Should that not be [ON object_type priv_level],
same as REVOKE,
>>>> >>> >>> where:
>>>> >>> >>>
>>>> >>> >>> object_type:
>>>> >>> >>>     TABLE
>>>> >>> >>>   | DATABASE
>>>> >>> >>>
>>>> >>> >>> priv_level:
>>>> >>> >>>     db_name
>>>> >>> >>>   | tbl_name
>>>> >>> >>>
>>>> >>> >>> Thanks
>>>> >>> >>> Brett
>>>> >>> >>
>>>> >>> >>
>>>> >>> >
>>>> >>
>>>> >>
>>>> >
>>>>
>>>
>>>
>>
>

Mime
View raw message