By default Sentry does not allow access to any resource unless explicitly granted. A privilege is essentially a rule that grant access to a resource. It spells out how a given resource is allowed to be accessed. For example, a table called customer_info from a database called sales is allowed to access in read mode.

Object Hierarchy in Hive

  • Server
    • URI
    • Database
      • Table
        • Partition
        •  Columns
      • View
      • Index


Privileges can be granted on different objects in the Hive warehouse. Any privilege that can be granted is associated with a level in the object hierarchy. If a privilege is granted on a container object in the hierarchy, the base object automatically inherits it. For instance, if a user has ALL privileges on the database scope, then (s)he has ALL privileges on all of the base objects contained within that scope. The privileges are always positive, not negative - you start from nothing by default, and add privileges.

So if you have a privilege at a higher level in the hierarchy ( e.g. server), you cannot take anything away from this privilege at a lower level (such as database). You can only add finer-grained privileges at the lower levels.

Concrete example: Suppose we have a server which currently has two databases, DB1 and DB2. Any privilege granted at the server level will apply to DB1and DB2, and to any new databases that are created. Let's say we grant SELECT at the server level:

     Server-level    Database-level     Result
DB1  SELECT            -                SELECT
DB2  SELECT            -                SELECT   

Then we could add finer-grained privileges at the database level, e.g. INSERT on database DB2:

     Server-level    Database-level      Result
DB1   SELECT            -                SELECT
DB2   SELECT          INSERT             SELECT,INSERT   

Then if we revoked all database-level privileges on database DB, we are back to where we started:

     Server-level    Database-level      Result
DB1   SELECT            -                SELECT
DB2   SELECT            -                SELECT

Changing lower-level privileges has no effect on the higher levels, which are inherited by the lower levels. This applies to both grant/revoke.

  • No labels