授权语法
角色管理命令
创建角色
语法
CREATE ROLE role_name
该语句建一个新角色。只有admin角色有这个特权。角色名ALL, DEFAULT和NONE是保留词。
The role names ALL, DEFAULT and NONE are reserved.
删除角色
语法
DROP ROLE role_name
删除一个角色。只有admin有这个特权。
显示当前角色
语法
SHOW CURRENT ROLES
显示用户当前所有的角色。Inceptor根据用户的特权和用户当前的角色来授权用户的行为。
The default current roles has all roles for the user except for the admin role (even if the user belongs to the admin role as well).
Any user can run this command.
设置角色
语法
SET ROLE (role_name|ALL)
如果指定了一个角色名,那么这个指定的角色名将是当前唯一的角色。将ALL设为角色会更新当前角色列并将列种角色加进默认角色列。如果指定了一个不属于用户的角色,Inceptor会报错。
Setting role_name to ALL refreshes the list of current roles (in case new roles were granted to the user) and sets them to the default list of roles.
If a role the user does not belong to is specified as the role_name, it will result in an error.
显示角色
语法
SHOW ROLES
显示所有当前存在的角色。只有admin有这个特权。
授予角色
语法
GRANT role_name [, role_name] ...
TO principal_specification [, principal_specification] ...
[ WITH ADMIN OPTION ]
principal_specification
: USER user
| ROLE role
给角色或者用户授予其他角色。如果加上了WITH ADMIN OPTION关键词,那么被授予角色的用户有权将被授予的角色授予其他角色或者用户。如果授权语句导致角色间的循环关系,Inceptor将会报错。
循环关系的例子
收回角色
语法
REVOKE [ADMIN OPTION FOR] role_name [, role_name] ...
FROM principal_specification [, principal_specification] ... ;
principal_specification
: USER user
| ROLE role
从指定用户或者角色收回角色。
显示角色授予
语法
SHOW ROLE GRANT (USER|ROLE) principal_name
principal_name
: user_name
| role_name
列出指定的角色或者用户被授予的所有角色。
举例
0: jdbc:hive2://localhost:10000> GRANT role1 TO USER user1;
No rows affected (0.058 seconds)
0: jdbc:hive2://localhost:10000> SHOW ROLE GRANT USER user1;
+---------+---------------+----------------+----------+
| role | grant_option | grant_time | grantor |
+---------+---------------+----------------+----------+
| public | false | 0 | |
| role1 | false | 1398284083000 | uadmin |
+---------+---------------+----------------+----------+
显示Principals
语法
SHOW PRINCIPALS role_name
列出所有属于指定角色的角色和用户。只有admin角色有此特权。
举例
0: jdbc:hive2://localhost:10000> SHOW PRINCIPALS role1;
+-----------------+-----------------+---------------+----------+---------------+----------------+
| principal_name | principal_type | grant_option | grantor | grantor_type | grant_time |
+-----------------+-----------------+---------------+----------+---------------+----------------+
| role2 | ROLE | false | uadmin | USER | 1398285926000 |
| role3 | ROLE | true | uadmin | USER | 1398285946000 |
| user1 | USER | false | uadmin | USER | 1398285977000 |
+-----------------+-----------------+---------------+----------+---------------+----------------+
管理对象特权
GRANT
语法
GRANT priv_type [, priv_type ] ...
ON table_or_view_name
TO principal_specification [, principal_specification] ...
[WITH GRANT OPTION];
principal_specification
: USER user
| ROLE role
REVOKE
语法
REVOKE [GRANT OPTION FOR]
priv_type [, priv_type ] ...
ON table_or_view_name
FROM principal_specification [, principal_specification] ... ;
principal_specification
: USER user
| ROLE role
priv_type
: INSERT | SELECT | UPDATE | DELETE | ALL
如果一个用户在被授予表和视图上的特权时加上了WITH GRANT OPTION,那么这个用户也可以将同样的权利授予其他用户/角色或者从其他用户/角色手中收回。
SHOW GRANT
语法
SHOW GRANT [principal_name] ON (ALL| ([TABLE] table_or_view_name)
principal_name
: user_name
| role_name