GRANT Statement (Impala 2.0 or higher only)
The GRANT
statement grants a privilege on a specified object to a role, to a user, or to a group. The statement is also used to grant a role to a group.
Syntax:
The following syntax are supported in Impala through Ranger to manage authorization.
GRANT ROLE TO GROUP
For GRANT ROLE TO GROUP
, only Ranger administrative users can grant roles to a group.
GRANT ROLE role_name TO GROUP group_name
GRANT privilege ON object TO PRINCIPAL
For GRANT privilege ON object TO principal (a user, a group, or a role), Ranger administrative users can use this statement. If the privilege is granted with the clause of WITH GRANT OPTION, the grantee (the user, the users belonging to the group, or the users belonging to the group granted the role) is able to grant the privilege to other principals.
GRANT privilege ON object_type object_name
TO USER user_name
GRANT privilege ON object_type object_name
TO GROUP group_name
GRANT privilege ON object_type object_name
TO ROLE role_name
privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(column_name)
object_type ::= SERVER | URI | DATABASE | TABLE
Typically, the object_name
is an identifier. For URIs, it is a string literal.
Required privileges:
Only administrative users for Ranger can use this statement.
Only Ranger administrative users can grant roles to a group.
The WITH GRANT OPTION
clause allows members of the specified role to issue GRANT
and REVOKE
statements for those same privileges. Hence, if a role has the ALL
privilege on a database and the WITH GRANT OPTION
set, users granted that role can execute GRANT
/REVOKE
statements only for that database or child tables of the database. This means a user could revoke the privileges of the user that provided them the GRANT OPTION
.
The ability to grant or revoke SELECT
privilege on specific columns is available in Impala 2.3 and higher. See the documentation for Apache Sentry for details.
Usage notes:
You can only grant the ALL
privilege to the URI
object. Finer-grained privileges mentioned below on a URI
are not supported.
The table below lists the minimum level of privileges and the scope required to execute SQL statements in Impala 3.0 and higher. The following notations are used:
- The SERVER resource type in Ranger implies all databases, all tables, all columns, all UDFs, and all URIs.
- ANY denotes the
SELECT
,INSERT
,CREATE
,ALTER
,DROP
, orREFRESH
privilege. - ALL privilege denotes the
SELECT
,INSERT
,CREATE
,ALTER
,DROP
, andREFRESH
privileges. - The owner of an object effectively has the ALL privilege on the object.
- The parent levels of the specified scope are implicitly supported where a scope refers to the specific level in the object hierarchy that the privilege is granted. For example, if a privilege is listed with the
TABLE
scope, the same privilege granted onDATABASE
andSERVER
will allow the user to execute the specified SQL statement.
SQL Statement | Privileges | Object Type / Resource Type |
SELECT | SELECT | TABLE |
WITH SELECT | SELECT | TABLE |
EXPLAIN SELECT | SELECT | TABLE |
INSERT | INSERT | TABLE |
EXPLAIN INSERT | INSERT | TABLE |
TRUNCATE | INSERT | TABLE |
LOAD | INSERT | TABLE |
ALL | URI | |
CREATE DATABASE | CREATE | SERVER |
CREATE DATABASE LOCATION | CREATE | SERVER |
ALL | URI | |
CREATE TABLE | CREATE | DATABASE |
CREATE TABLE LIKE | CREATE | DATABASE |
SELECT, INSERT, or REFRESH | TABLE | |
CREATE TABLE AS SELECT | CREATE | DATABASE |
INSERT | DATABASE | |
SELECT | TABLE | |
EXPLAIN CREATE TABLE AS SELECT | CREATE | DATABASE |
INSERT | DATABASE | |
SELECT | TABLE | |
CREATE TABLE LOCATION | CREATE | TABLE |
ALL | URI | |
CREATE VIEW | CREATE | DATABASE |
SELECT | TABLE | |
ALTER DATABASE SET OWNER | ALL WITH GRANT | DATABASE |
ALTER TABLE | ALTER | TABLE |
ALTER TABLE SET LOCATION | ALTER | TABLE |
ALL | URI | |
ALTER TABLE RENAME | CREATE | DATABASE |
ALL | TABLE | |
ALTER TABLE SET OWNER | ALL WITH GRANT | TABLE |
ALTER VIEW | ALTER | TABLE |
SELECT | TABLE | |
ALTER VIEW RENAME | CREATE | DATABASE |
ALL | TABLE | |
ALTER VIEW SET OWNER | ALL WITH GRANT | VIEW |
DROP DATABASE | DROP | DATABASE |
DROP TABLE | DROP | TABLE |
DROP VIEW | DROP | TABLE |
CREATE FUNCTION | CREATE | DATABASE |
ALL | URI | |
DROP FUNCTION | DROP | DATABASE |
COMPUTE STATS | ALTER and SELECT | TABLE |
DROP STATS | ALTER | TABLE |
INVALIDATE METADATA | REFRESH | SERVER |
INVALIDATE METADATA <table> | REFRESH | TABLE |
REFRESH <table> | REFRESH | TABLE |
REFRESH AUTHORIZATION | REFRESH | SERVER |
REFRESH FUNCTIONS | REFRESH | DATABASE |
COMMENT ON DATABASE | ALTER | DATABASE |
COMMENT ON TABLE | ALTER | TABLE |
COMMENT ON VIEW | ALTER | TABLE |
COMMENT ON COLUMN | ALTER | TABLE |
DESCRIBE DATABASE | SELECT, INSERT, or REFRESH | DATABASE |
DESCRIBE <table/view> | SELECT, INSERT, or REFRESH | TABLE |
If the user has the SELECT privilege at the COLUMN level, only the columns the user has access will show. | SELECT | COLUMN |
USE | ANY | TABLE |
SHOW DATABASES | ANY | TABLE |
SHOW TABLES | ANY | TABLE |
SHOW FUNCTIONS | SELECT, INSERT, or REFRESH | DATABASE |
SHOW PARTITIONS | SELECT, INSERT, or REFRESH | TABLE |
SHOW TABLE STATS | SELECT, INSERT, or REFRESH | TABLE |
SHOW COLUMN STATS | SELECT, INSERT, or REFRESH | TABLE |
SHOW FILES | SELECT, INSERT, or REFRESH | TABLE |
SHOW CREATE TABLE | SELECT, INSERT, or REFRESH | TABLE |
SHOW CREATE VIEW | SELECT, INSERT, or REFRESH | TABLE |
SHOW CREATE FUNCTION | SELECT, INSERT, or REFRESH | DATABASE |
SHOW RANGE PARTITIONS (Kudu only) | SELECT, INSERT, or REFRESH | TABLE |
UPDATE (Kudu only) | ALL | TABLE |
EXPLAIN UPDATE (Kudu only) | ALL | TABLE |
UPSERT (Kudu only) | ALL | TABLE |
WITH UPSERT (Kudu only) | ALL | TABLE |
EXPLAIN UPSERT (Kudu only) | ALL | TABLE |
DELETE (Kudu only) | ALL | TABLE |
EXPLAIN DELETE (Kudu only) | ALL | TABLE |
Compatibility:
- The Impala
GRANT
andREVOKE
statements are available in Impala 2.0 and later. - In general, Impala can make use of any roles and privileges specified by the
GRANT
andREVOKE
statements in Hive, when your system is configured to use the Ranger service instead of the file-based policy mechanism. - Currently, each Impala
GRANT
orREVOKE
statement can only grant or revoke a single privilege to or from a single role.
Cancellation: Cannot be cancelled.
HDFS permissions: This statement does not touch any HDFS files or directories, therefore no HDFS permissions are required.
Kudu considerations:
Access to Kudu tables must be granted to and revoked from principal with the following considerations:
- Only users with the
ALL
privilege onSERVER
can create external Kudu tables. - The
ALL
privileges onSERVER
is required to specify thekudu.master_addresses
property in theCREATE TABLE
statements for managed tables as well as external tables. - Access to Kudu tables is enforced at the table level and at the column level.
- The
SELECT
- andINSERT
-specific permissions are supported. - The
DELETE
,UPDATE
, andUPSERT
operations require theALL
privilege.
Related information:
Impala Authorization, REVOKE Statement (Impala 2.0 or higher only), CREATE ROLE Statement (Impala 2.0 or higher only), DROP ROLE Statement (Impala 2.0 or higher only), SHOW Statement
Parent topic: Impala SQL Statements