Return-Path: 
 <user-return-19175-apmail-hive-user-archive=hive.apache.org@hive.apache.org>
X-Original-To: apmail-hive-user-archive@www.apache.org
Delivered-To: apmail-hive-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 2D02810AA0
	for <apmail-hive-user-archive@www.apache.org>;
 Thu, 26 Mar 2015 15:26:41 +0000 (UTC)
Received: (qmail 25086 invoked by uid 500); 26 Mar 2015 15:26:38 -0000
Delivered-To: apmail-hive-user-archive@hive.apache.org
Received: (qmail 25021 invoked by uid 500); 26 Mar 2015 15:26:38 -0000
Mailing-List: contact user-help@hive.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@hive.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@hive.apache.org>
List-Post: <mailto:user@hive.apache.org>
List-Id: <user.hive.apache.org>
Reply-To: user@hive.apache.org
Delivered-To: mailing list user@hive.apache.org
Received: (qmail 25011 invoked by uid 99); 26 Mar 2015 15:26:38 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 26 Mar 2015 15:26:38 +0000
X-ASF-Spam-Status: No, hits=2.5 required=5.0
	tests=FREEMAIL_REPLY,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of alanfgates@gmail.com
 designates 209.85.220.44 as permitted sender)
Received: from [209.85.220.44] (HELO mail-pa0-f44.google.com) (209.85.220.44)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 26 Mar 2015 15:26:34 +0000
Received: by padcy3 with SMTP id cy3so65928496pad.3
        for <user@hive.apache.org>; Thu, 26 Mar 2015 08:23:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-type;
        bh=iLchohLeoSiUIgoP/9zWcF5g2a1hcBfCwCa0FfFtwII=;
        b=Kr9NZF4v2/B+1it0gNGvVdo4ONBrxFdB5fDO4gYkl+Cm33G7Wzw+YP2E4nthnAUOkT
         cM8gJ7sM3gkS1L2TinTDdqqg3lq1HmLdRZwFo8rxNpfHqKxs4tj6PIxtQabUxhgEzWt1
         9pgiW/PTNI7OhA4CIJn5n6qSX/c2/l5tLaW49UmcUjB6ziupgyEZuSvQsFxOTlkLBwiX
         p5yUVUFIoaZ0qbhXmGvvBR5i8xNTHymm46mOlE8Zk0TeL4Tgq9wOmClRff2bzegqDYrI
         h93vN6fz0auhYQk26R5Gl8/ZSjl2X+pxcJGDx32OiihqtM87b7YIfpK9TzDvCPQ7ImrL
         CFSA==
X-Received: by 10.70.87.195 with SMTP id ba3mr27481778pdb.126.1427383438854;
        Thu, 26 Mar 2015 08:23:58 -0700 (PDT)
Received: from Alan-Gatess-MacBook-Pro.local ([192.175.27.12])
        by mx.google.com with ESMTPSA id
 dj3sm5896872pbd.48.2015.03.26.08.23.57
        for <user@hive.apache.org>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Thu, 26 Mar 2015 08:23:57 -0700 (PDT)
Message-ID: <5514248B.6050904@gmail.com>
Date: Thu, 26 Mar 2015 08:23:55 -0700
From: Alan Gates <alanfgates@gmail.com>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: user@hive.apache.org
Subject: Re: how to set column level privileges
References: <20150326110930.3DE49C34F21@webmail.sinamail.sina.com.cn>
 <CAORpBshHTtNFiUcweSHBSW0pp6-OD9fzGGTd2zCoMoRSh4y27A@mail.gmail.com>
In-Reply-To: 
 <CAORpBshHTtNFiUcweSHBSW0pp6-OD9fzGGTd2zCoMoRSh4y27A@mail.gmail.com>
Content-Type: multipart/alternative;
 boundary="------------030607060002030508030909"
X-Virus-Checked: Checked by ClamAV on apache.org

This is a multi-part message in MIME format.
--------------030607060002030508030909
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Column level permissions was added to Hive default authorization in 
HIVE-5837.  That is why the TBL_COL_PRIV tables exists in the 
metastore.  The problem with default auth is it isn't really secure, as 
anyone can grant anybody (including themselves) any privilege.

  But Allen is correct that it doesn't work with the SQL Standard 
Authorization added in Hive 0.14.  The only method using SQL standard 
auth out of the box is views.  I believe using Apache Ranger (and maybe 
Apache Sentry, I'm not sure) with SQL standard auth you can get column 
level privileges.

Alan.

> Nitin Pawar <mailto:nitinpawar432@gmail.com>
> March 26, 2015 at 4:18
> Column level security in hive was added at HIVE-5837 
> <https://issues.apache.org/jira/browse/HIVE-5837>
>
> It has the PDF link for your readings.
>
> https://cwiki.apache.org/confluence/display/Hive/AuthDev talks about 
> setting column level permissions
>
>
>
>
> -- 
> Nitin Pawar
> Allen <mailto:bjallenwang@sina.com>
> March 26, 2015 at 4:09
>
> Thanks for your replay.
>
> If we handle the privileges by creating views, it will lead to lots of 
> views in our database.
>
> I found there is a table named TBL_COL_PRIV in hive metastore 
> database, maybe this table is related to column privilege,but it is 
> never used in hive. Anybody knew why?
>
>
>
> --------------------------------
>
>
> ----- 原始邮件 -----
> 发件人：Daniel Haviv <daniel.haviv@veracity-group.com>
> 收件人："user@hive.apache.org" <user@hive.apache.org>
> 主题：Re: how to set column level privileges
> 日期：2015年03月26日 18点42分
>
> Create a view with the permitted columns and handle the privileges for it
>
> Daniel
>
> On 26 במרץ 2015, at 12:40, Allen <bjallenwang@sina.com 
> <mailto:bjallenwang@sina.com>> wrote:
>

--------------030607060002030508030909
Content-Type: multipart/related;
 boundary="------------010306040004060503010309"


--------------010306040004060503010309
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<html><head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000">Column level permissions 
was added to Hive default authorization in HIVE-5837.  That is why the 
TBL_COL_PRIV tables exists in the metastore.  The problem with default 
auth is it isn't really secure, as anyone can grant anybody (including 
themselves) any privilege.<br>
<br>
 But Allen is correct that it doesn't work with the SQL Standard 
Authorization added in Hive 0.14.  The only method using SQL standard 
auth out of the box is views.  I believe using Apache Ranger (and maybe 
Apache Sentry, I'm not sure) with SQL standard auth you can get column 
level privileges.<br>
<br>
Alan.<br>
<br>
<blockquote style="border: 0px none;" 
cite="mid:CAORpBshHTtNFiUcweSHBSW0pp6-OD9fzGGTd2zCoMoRSh4y27A@mail.gmail.com"
 type="cite">
  <div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div 
style="display:table;width:100%;border-top:1px solid 
#EDEEF0;padding-top:5px"> 	<div 
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
 photoaddress="nitinpawar432@gmail.com" photoname="Nitin Pawar" 
src="cid:part1.08080809.02020606@gmail.com" 
name="compose-unknown-contact.jpg" height="25px" width="25px"></div>   <div
 
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
   	<a moz-do-not-send="true" href="mailto:nitinpawar432@gmail.com" 
style="color:#737F92 
!important;padding-right:6px;font-weight:bold;text-decoration:none 
!important;">Nitin Pawar</a></div>   <div 
style="display:table-cell;white-space:nowrap;vertical-align:middle;">   
  <font color="#9FA2A5"><span style="padding-left:6px">March 26, 2015 at
 4:18</span></font></div></div></div>
  <div style="color:#888888;margin-left:24px;margin-right:24px;" 
__pbrmquotes="true" class="__pbConvBody"><div dir="ltr">Column level 
security in hive was added at <a moz-do-not-send="true" 
href="https://issues.apache.org/jira/browse/HIVE-5837">HIVE-5837</a><div><br></div><div>It
 has the PDF link for your readings. </div><div><br></div><div><a 
moz-do-not-send="true" 
href="https://cwiki.apache.org/confluence/display/Hive/AuthDev">https://cwiki.apache.org/confluence/display/Hive/AuthDev</a>
 talks about setting column level permissions <br></div></div><div 
class="gmail_extra"><br><br><br clear="all"><div><br></div>-- <br><div 
class="gmail_signature">Nitin Pawar<br></div>
</div>

  </div>
  <div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div 
style="display:table;width:100%;border-top:1px solid 
#EDEEF0;padding-top:5px"> 	<div 
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
 photoaddress="bjallenwang@sina.com" photoname="Allen" 
src="cid:part1.08080809.02020606@gmail.com" 
name="compose-unknown-contact.jpg" height="25px" width="25px"></div>   <div
 
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
   	<a moz-do-not-send="true" href="mailto:bjallenwang@sina.com" 
style="color:#737F92 
!important;padding-right:6px;font-weight:bold;text-decoration:none 
!important;">Allen</a></div>   <div 
style="display:table-cell;white-space:nowrap;vertical-align:middle;">   
  <font color="#9FA2A5"><span style="padding-left:6px">March 26, 2015 at
 4:09</span></font></div></div></div>
  <div style="color:#888888;margin-left:24px;margin-right:24px;" 
__pbrmquotes="true" class="__pbConvBody"><p>Thanks for your replay.</p><p>If
 we handle the privileges by creating views, it will lead to lots of 
views in our database.</p><p>I found there is a table named TBL_COL_PRIV
 in hive metastore database, maybe this table is related to column 
privilege,but it is never used in hive. Anybody knew why? </p><br><br><div
 id="">--------------------------------<br></div><div id=""><br></div><br><div
 id="origbody"><div style="background: #f2f2f2;">----- 原始邮件 -----<br>发件
人：Daniel Haviv <a class="moz-txt-link-rfc2396E" href="mailto:daniel.haviv@veracity-group.com">&lt;daniel.haviv@veracity-group.com&gt;</a><br>收件
人：<a class="moz-txt-link-rfc2396E" href="mailto:user@hive.apache.org">"user@hive.apache.org"</a> <a class="moz-txt-link-rfc2396E" href="mailto:user@hive.apache.org">&lt;user@hive.apache.org&gt;</a><br>主题：Re: how to 
set column level privileges<br>日期：2015年03月26日 18点42分<br></div><br><div><div
 style="direction: ltr;">Create a view with the permitted columns and 
handle the privileges for it</div><br><div style="direction: ltr;">Daniel</div></div><div><div
 style="direction: rtl;"><br></div>On 26 במרץ 2015, at 12:40, Allen &lt;<a
 moz-do-not-send="true" href="mailto:bjallenwang@sina.com" 
target="_blank">bjallenwang@sina.com</a>&gt; wrote:<br><br></div>
</div></div>
</blockquote>
</body></html>

--------------010306040004060503010309
Content-Type: image/jpeg; x-apple-mail-type=stationery;
 name="compose-unknown-contact.jpg"
Content-Transfer-Encoding: base64
Content-ID: <part1.08080809.02020606@gmail.com>
Content-Disposition: inline;
 filename="compose-unknown-contact.jpg"

/9j/4AAQSkZJRgABAQEARwBHAAD/2wBDAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEC
AQEBAQEBAgICAgICAgICAgICAgICAgICAgICAgICAgICAgL/2wBDAQEBAQEBAQICAgICAgIC
AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgL/wAAR
CAAZABkDAREAAhEBAxEB/8QAGAAAAwEBAAAAAAAAAAAAAAAABgcICQr/xAA0EAABAwMCAgUK
BwAAAAAAAAACAQMEBQYRABITIQcUMUF2CBUXIjI2N0JRtVRWkZOV0dL/xAAYAQEAAwEAAAAA
AAAAAAAAAAADAAEEAv/EACQRAAICAAQGAwAAAAAAAAAAAAABAhEDMrHREyExM0FxgfDx/9oA
DAMBAAIRAxEAPwDuEt+gW/ULet6oVC3rfqNQqFv0OfPn1GhUqfOmzZtKZlS5UqZMaNwzNwiJ
VIl7eXLCaZIGwBl3TY8epPx2+jy2ZNPjvkwc9uhW8j7nCPhvOsQliYIeS7cvCpp8o50qwrC4
v3lsNSDbdmTEhvs2tahxpfV3WnmbbozJEw/gwdadbYExVRXKEKoSdvJcaOSqxE7/AAiX0gXx
+a69/JSf9alIlste0VzaNpeFrcT9KKymotyiaZ0KRCnzacoE7Kjzn4gi2KqUh3jqDHDHv4mR
UfruTWlMzlVUKIVNp9GguEJnAh0+IZjyAiisgyRDnu5azS8miKqjOTVkKqS/psG37fo1Fbab
eg25b8eZPeFJBBJSjMG5HjMeyihnaauZwe4OGiju13GAcpOwBeN+U8/IkGbsiS8b7ryogmbz
hbyc9REROfZhERO5ETShjPtvpGqTUyLErytS4siSwx5x2tRH4hPOI0DkjZtaJtFxuVEbIUUi
yeNujlBUJGbJN6nM/Cyf2Hf60YgjvKA+NPSP4gT7axpcPtr51YWJnYn9dnAQWl722p4ot37y
zqnlfp6FrqbwawG8/9k=
--------------010306040004060503010309--

--------------030607060002030508030909--