hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lefty Leverenz <leftylever...@gmail.com>
Subject Re: DDL wiki GRANT
Date Wed, 15 Oct 2014 03:49:52 GMT
Well done.  Thanks very much.

-- Lefty

On Tue, Oct 14, 2014 at 11:48 PM, Suhas Gogate <vgogate@pivotal.io> wrote:

> Done! Thx. That where Brett's question originated :)
>
> On Tue, Oct 14, 2014 at 8:45 PM, Lefty Leverenz <leftyleverenz@gmail.com>
> wrote:
>
>> Looks good, except that you forgot to change the GRANT syntax
>> <https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges>
>> -- it still says object_type.
>>
>> -- Lefty
>>
>> On Tue, Oct 14, 2014 at 11:41 PM, Suhas Gogate <vgogate@pivotal.io>
>> wrote:
>>
>>> Lefty/Brett,  I did change the wiki.. check if it looks okay.  --Suhas
>>>
>>> On Tue, Oct 14, 2014 at 7:34 PM, Lefty Leverenz <leftyleverenz@gmail.com
>>> > wrote:
>>>
>>>> One question remains:  in object_specification, are the keywords TABLE
>>>> and DATABASE optional?
>>>>
>>>> At least for TABLE I've seen queries in the test suite that omitted it,
>>>> but that was probably for SQL standards based authorization.  So I guess
we
>>>> should assume TABLE and DATABASE are required unless someone says otherwise.
>>>>
>>>> -- Lefty
>>>>
>>>> On Tue, Oct 14, 2014 at 4:48 PM, Lefty Leverenz <
>>>> leftyleverenz@gmail.com> wrote:
>>>>
>>>>> +1
>>>>>
>>>>> -- Lefty
>>>>>
>>>>> On Tue, Oct 14, 2014 at 4:37 PM, Brett Randall <javabrett@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> +1
>>>>>>
>>>>>> On 15 October 2014 07:23, Suhas Gogate <vgogate@pivotal.io>
wrote:
>>>>>> > Agree w/ Brett.. so may be instead of "object_type", we can
use
>>>>>> > "object_specification" (similar to principal specification)?
>>>>>> >
>>>>>> > GRANT
>>>>>> >     priv_type [(column_list)]
>>>>>> >       [, priv_type [(column_list)]] ...
>>>>>> >     [ON object_specification]
>>>>>> >     TO principal_specification [, principal_specification] ...
>>>>>> >     [WITH GRANT OPTION]
>>>>>> >
>>>>>> > REVOKE [GRANT OPTION FOR]
>>>>>> >     priv_type [(column_list)]
>>>>>> >       [, priv_type [(column_list)]] ...
>>>>>> >     [ON object_specification]
>>>>>> >     FROM principal_specification [, principal_specification]
...
>>>>>> >
>>>>>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>>>>> >     FROM user [, user] ...
>>>>>> >
>>>>>> > priv_type:
>>>>>> >     ALL | ALTER | UPDATE | CREATE | DROP
>>>>>> >   | INDEX | LOCK | SELECT | SHOW_DATABASE
>>>>>> >
>>>>>> > object_specification:
>>>>>> >     TABLE tbl_name |
>>>>>> >     DATABASE db_name
>>>>>> >
>>>>>> > principal_specification:
>>>>>> >     USER user
>>>>>> >   | GROUP group
>>>>>> >   | ROLE role
>>>>>> >
>>>>>> >
>>>>>> > On Tue, Oct 14, 2014 at 11:06 AM, Lefty Leverenz <
>>>>>> leftyleverenz@gmail.com>
>>>>>> > wrote:
>>>>>> >>
>>>>>> >> I'll correct it as soon as we reach consensus.  (Perhaps
Thejas
>>>>>> will chime
>>>>>> >> in.)
>>>>>> >>
>>>>>> >> If you want to do it yourself, you can get wiki edit privilege
>>>>>> quite
>>>>>> >> easily.
>>>>>> >>
>>>>>> >> -- Lefty
>>>>>> >>
>>>>>> >> On Tue, Oct 14, 2014 at 7:57 AM, Brett Randall <
>>>>>> javabrett@gmail.com>
>>>>>> >> wrote:
>>>>>> >>>
>>>>>> >>> I agree that the use of priv_level is confusing when
it is
>>>>>> actually
>>>>>> >>> referring to object_name (of type TABLE or DATABASE).
 I don't
>>>>>> mind
>>>>>> >>> the rolling-up of tbl_name or db_name into object_type,
although
>>>>>> it
>>>>>> >>> then makes object_type: somewhat misleading.  "[ON object_type
>>>>>> >>> object_name]" reads well for me.
>>>>>> >>>
>>>>>> >>> Anything to correct the incorrect syntax on the wiki
page (it is
>>>>>> not
>>>>>> >>> open for edits).
>>>>>> >>>
>>>>>> >>> Thanks
>>>>>> >>> Brett
>>>>>> >>>
>>>>>> >>> On 13 October 2014 18:18, Suhas Gogate <vgogate@pivotal.io>
>>>>>> wrote:
>>>>>> >>> > Hmm.. looking at the syntax priv_level does not
seem to be a
>>>>>> keyword
>>>>>> >>> > but
>>>>>> >>> > rather actual name of a table or database.. so
why it appears
>>>>>> like a
>>>>>> >>> > keyword
>>>>>> >>> > Also priv_level is confusing and rather clear syntax
would
>>>>>> should look
>>>>>> >>> > like
>>>>>> >>> > below...
>>>>>> >>> >
>>>>>> >>> > Again answer to original question from Brett, yes
GRANT syntax
>>>>>> should
>>>>>> >>> > be
>>>>>> >>> > similar to REVOKE but rather priv_level should
be removed from
>>>>>> REVOKE
>>>>>> >>> > as
>>>>>> >>> > well.. :)
>>>>>> >>> >
>>>>>> >>> > GRANT
>>>>>> >>> >     priv_type [(column_list)]
>>>>>> >>> >       [, priv_type [(column_list)]] ...
>>>>>> >>> >     [ON object_type]
>>>>>> >>> >     TO principal_specification [, principal_specification]
...
>>>>>> >>> >     [WITH GRANT OPTION]
>>>>>> >>> >
>>>>>> >>> > REVOKE [GRANT OPTION FOR]
>>>>>> >>> >     priv_type [(column_list)]
>>>>>> >>> >       [, priv_type [(column_list)]] ...
>>>>>> >>> >     [ON object_type]
>>>>>> >>> >     FROM principal_specification [, principal_specification]
...
>>>>>> >>> >
>>>>>> >>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>>>>> >>> >     FROM user [, user] ...
>>>>>> >>> >
>>>>>> >>> > priv_type:
>>>>>> >>> >     ALL | ALTER | UPDATE | CREATE | DROP
>>>>>> >>> >   | INDEX | LOCK | SELECT | SHOW_DATABASE
>>>>>> >>> >
>>>>>> >>> > object_type:
>>>>>> >>> >     TABLE tbl_name
>>>>>> >>> >   | DATABASE db_name
>>>>>> >>> >
>>>>>> >>> > principal_specification:
>>>>>> >>> >     USER user
>>>>>> >>> >   | GROUP group
>>>>>> >>> >   | ROLE role
>>>>>> >>> >
>>>>>> >>> >
>>>>>> >>> > On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz
>>>>>> >>> > <leftyleverenz@gmail.com>
>>>>>> >>> > wrote:
>>>>>> >>> >>
>>>>>> >>> >> Good catch, Brett.  Can we have confirmation
from an expert?
>>>>>> >>> >>
>>>>>> >>> >> Also, is object_type optional?
>>>>>> >>> >>
>>>>>> >>> >> It isn't clear to me why priv_level isn't called
object_name.
>>>>>> >>> >>
>>>>>> >>> >> -- Lefty
>>>>>> >>> >>
>>>>>> >>> >> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall
<
>>>>>> javabrett@gmail.com>
>>>>>> >>> >> wrote:
>>>>>> >>> >>>
>>>>>> >>> >>> Hi,
>>>>>> >>> >>>
>>>>>> >>> >>> On
>>>>>> >>> >>>
>>>>>> >>> >>>
>>>>>> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
>>>>>> >>> >>> , GRANT shows as:
>>>>>> >>> >>>
>>>>>> >>> >>> GRANT
>>>>>> >>> >>>     priv_type [(column_list)]
>>>>>> >>> >>>       [, priv_type [(column_list)]] ...
>>>>>> >>> >>>     [ON object_type]
>>>>>> >>> >>>     TO principal_specification [, principal_specification]
...
>>>>>> >>> >>>     [WITH GRANT OPTION]
>>>>>> >>> >>>
>>>>>> >>> >>> Should that not be [ON object_type priv_level],
same as
>>>>>> REVOKE,
>>>>>> >>> >>> where:
>>>>>> >>> >>>
>>>>>> >>> >>> object_type:
>>>>>> >>> >>>     TABLE
>>>>>> >>> >>>   | DATABASE
>>>>>> >>> >>>
>>>>>> >>> >>> priv_level:
>>>>>> >>> >>>     db_name
>>>>>> >>> >>>   | tbl_name
>>>>>> >>> >>>
>>>>>> >>> >>> Thanks
>>>>>> >>> >>> Brett
>>>>>> >>> >>
>>>>>> >>> >>
>>>>>> >>> >
>>>>>> >>
>>>>>> >>
>>>>>> >
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

Mime
View raw message