hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suhas Gogate <vgog...@pivotal.io>
Subject Re: DDL wiki GRANT
Date Wed, 15 Oct 2014 03:41:11 GMT
Lefty/Brett,  I did change the wiki.. check if it looks okay.  --Suhas

On Tue, Oct 14, 2014 at 7:34 PM, Lefty Leverenz <leftyleverenz@gmail.com>
wrote:

> One question remains:  in object_specification, are the keywords TABLE and
> DATABASE optional?
>
> At least for TABLE I've seen queries in the test suite that omitted it,
> but that was probably for SQL standards based authorization.  So I guess we
> should assume TABLE and DATABASE are required unless someone says otherwise.
>
> -- Lefty
>
> On Tue, Oct 14, 2014 at 4:48 PM, Lefty Leverenz <leftyleverenz@gmail.com>
> wrote:
>
>> +1
>>
>> -- Lefty
>>
>> On Tue, Oct 14, 2014 at 4:37 PM, Brett Randall <javabrett@gmail.com>
>> wrote:
>>
>>> +1
>>>
>>> On 15 October 2014 07:23, Suhas Gogate <vgogate@pivotal.io> wrote:
>>> > Agree w/ Brett.. so may be instead of "object_type", we can use
>>> > "object_specification" (similar to principal specification)?
>>> >
>>> > GRANT
>>> >     priv_type [(column_list)]
>>> >       [, priv_type [(column_list)]] ...
>>> >     [ON object_specification]
>>> >     TO principal_specification [, principal_specification] ...
>>> >     [WITH GRANT OPTION]
>>> >
>>> > REVOKE [GRANT OPTION FOR]
>>> >     priv_type [(column_list)]
>>> >       [, priv_type [(column_list)]] ...
>>> >     [ON object_specification]
>>> >     FROM principal_specification [, principal_specification] ...
>>> >
>>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>> >     FROM user [, user] ...
>>> >
>>> > priv_type:
>>> >     ALL | ALTER | UPDATE | CREATE | DROP
>>> >   | INDEX | LOCK | SELECT | SHOW_DATABASE
>>> >
>>> > object_specification:
>>> >     TABLE tbl_name |
>>> >     DATABASE db_name
>>> >
>>> > principal_specification:
>>> >     USER user
>>> >   | GROUP group
>>> >   | ROLE role
>>> >
>>> >
>>> > On Tue, Oct 14, 2014 at 11:06 AM, Lefty Leverenz <
>>> leftyleverenz@gmail.com>
>>> > wrote:
>>> >>
>>> >> I'll correct it as soon as we reach consensus.  (Perhaps Thejas will
>>> chime
>>> >> in.)
>>> >>
>>> >> If you want to do it yourself, you can get wiki edit privilege quite
>>> >> easily.
>>> >>
>>> >> -- Lefty
>>> >>
>>> >> On Tue, Oct 14, 2014 at 7:57 AM, Brett Randall <javabrett@gmail.com>
>>> >> wrote:
>>> >>>
>>> >>> I agree that the use of priv_level is confusing when it is actually
>>> >>> referring to object_name (of type TABLE or DATABASE).  I don't mind
>>> >>> the rolling-up of tbl_name or db_name into object_type, although
it
>>> >>> then makes object_type: somewhat misleading.  "[ON object_type
>>> >>> object_name]" reads well for me.
>>> >>>
>>> >>> Anything to correct the incorrect syntax on the wiki page (it is
not
>>> >>> open for edits).
>>> >>>
>>> >>> Thanks
>>> >>> Brett
>>> >>>
>>> >>> On 13 October 2014 18:18, Suhas Gogate <vgogate@pivotal.io>
wrote:
>>> >>> > Hmm.. looking at the syntax priv_level does not seem to be
a
>>> keyword
>>> >>> > but
>>> >>> > rather actual name of a table or database.. so why it appears
like
>>> a
>>> >>> > keyword
>>> >>> > Also priv_level is confusing and rather clear syntax would
should
>>> look
>>> >>> > like
>>> >>> > below...
>>> >>> >
>>> >>> > Again answer to original question from Brett, yes GRANT syntax
>>> should
>>> >>> > be
>>> >>> > similar to REVOKE but rather priv_level should be removed from
>>> REVOKE
>>> >>> > as
>>> >>> > well.. :)
>>> >>> >
>>> >>> > GRANT
>>> >>> >     priv_type [(column_list)]
>>> >>> >       [, priv_type [(column_list)]] ...
>>> >>> >     [ON object_type]
>>> >>> >     TO principal_specification [, principal_specification]
...
>>> >>> >     [WITH GRANT OPTION]
>>> >>> >
>>> >>> > REVOKE [GRANT OPTION FOR]
>>> >>> >     priv_type [(column_list)]
>>> >>> >       [, priv_type [(column_list)]] ...
>>> >>> >     [ON object_type]
>>> >>> >     FROM principal_specification [, principal_specification]
...
>>> >>> >
>>> >>> > REVOKE ALL PRIVILEGES, GRANT OPTION
>>> >>> >     FROM user [, user] ...
>>> >>> >
>>> >>> > priv_type:
>>> >>> >     ALL | ALTER | UPDATE | CREATE | DROP
>>> >>> >   | INDEX | LOCK | SELECT | SHOW_DATABASE
>>> >>> >
>>> >>> > object_type:
>>> >>> >     TABLE tbl_name
>>> >>> >   | DATABASE db_name
>>> >>> >
>>> >>> > principal_specification:
>>> >>> >     USER user
>>> >>> >   | GROUP group
>>> >>> >   | ROLE role
>>> >>> >
>>> >>> >
>>> >>> > On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz
>>> >>> > <leftyleverenz@gmail.com>
>>> >>> > wrote:
>>> >>> >>
>>> >>> >> Good catch, Brett.  Can we have confirmation from an expert?
>>> >>> >>
>>> >>> >> Also, is object_type optional?
>>> >>> >>
>>> >>> >> It isn't clear to me why priv_level isn't called object_name.
>>> >>> >>
>>> >>> >> -- Lefty
>>> >>> >>
>>> >>> >> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <
>>> javabrett@gmail.com>
>>> >>> >> wrote:
>>> >>> >>>
>>> >>> >>> Hi,
>>> >>> >>>
>>> >>> >>> On
>>> >>> >>>
>>> >>> >>>
>>> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges
>>> >>> >>> , GRANT shows as:
>>> >>> >>>
>>> >>> >>> GRANT
>>> >>> >>>     priv_type [(column_list)]
>>> >>> >>>       [, priv_type [(column_list)]] ...
>>> >>> >>>     [ON object_type]
>>> >>> >>>     TO principal_specification [, principal_specification]
...
>>> >>> >>>     [WITH GRANT OPTION]
>>> >>> >>>
>>> >>> >>> Should that not be [ON object_type priv_level], same
as REVOKE,
>>> >>> >>> where:
>>> >>> >>>
>>> >>> >>> object_type:
>>> >>> >>>     TABLE
>>> >>> >>>   | DATABASE
>>> >>> >>>
>>> >>> >>> priv_level:
>>> >>> >>>     db_name
>>> >>> >>>   | tbl_name
>>> >>> >>>
>>> >>> >>> Thanks
>>> >>> >>> Brett
>>> >>> >>
>>> >>> >>
>>> >>> >
>>> >>
>>> >>
>>> >
>>>
>>
>>
>

Mime
View raw message