GRANT Statement (Impala 2.0 or higher only)

The GRANT statement grants a privilege on a specified object to a role, to a user, or to a group. The statement is also used to grant a role to a group.

Syntax:

The following syntax are supported in Impala through Ranger to manage authorization.

GRANT ROLE TO GROUP

For GRANT ROLE TO GROUP, only Ranger administrative users can grant roles to a group.

  1. GRANT ROLE role_name TO GROUP group_name

GRANT privilege ON object TO PRINCIPAL

For GRANT privilege ON object TO principal (a user, a group, or a role), Ranger administrative users can use this statement. If the privilege is granted with the clause of WITH GRANT OPTION, the grantee (the user, the users belonging to the group, or the users belonging to the group granted the role) is able to grant the privilege to other principals.

  1. GRANT privilege ON object_type object_name
  2. TO USER user_name
  3. GRANT privilege ON object_type object_name
  4. TO GROUP group_name
  5. GRANT privilege ON object_type object_name
  6. TO ROLE role_name
  7. privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(column_name)
  8. object_type ::= SERVER | URI | DATABASE | TABLE

Typically, the object_name is an identifier. For URIs, it is a string literal.

Required privileges:

Only administrative users for Ranger can use this statement.

Only Ranger administrative users can grant roles to a group.

The WITH GRANT OPTION clause allows members of the specified role to issue GRANT and REVOKE statements for those same privileges. Hence, if a role has the ALL privilege on a database and the WITH GRANT OPTION set, users granted that role can execute GRANT/REVOKE statements only for that database or child tables of the database. This means a user could revoke the privileges of the user that provided them the GRANT OPTION.

The ability to grant or revoke SELECT privilege on specific columns is available in Impala 2.3 and higher. See the documentation for Apache Sentry for details.

Usage notes:

You can only grant the ALL privilege to the URI object. Finer-grained privileges mentioned below on a URI are not supported.

The table below lists the minimum level of privileges and the scope required to execute SQL statements in Impala 3.0 and higher. The following notations are used:

  • The SERVER resource type in Ranger implies all databases, all tables, all columns, all UDFs, and all URIs.
  • ANY denotes the SELECT, INSERT, CREATE, ALTER, DROP, or REFRESH privilege.
  • ALL privilege denotes the SELECT, INSERT, CREATE, ALTER, DROP, and REFRESH privileges.
  • The owner of an object effectively has the ALL privilege on the object.
  • The parent levels of the specified scope are implicitly supported where a scope refers to the specific level in the object hierarchy that the privilege is granted. For example, if a privilege is listed with the TABLE scope, the same privilege granted on DATABASE and SERVER will allow the user to execute the specified SQL statement.
SQL StatementPrivilegesObject Type /

Resource Type

SELECTSELECTTABLE
WITH SELECTSELECTTABLE
EXPLAIN SELECTSELECTTABLE
INSERTINSERTTABLE
EXPLAIN INSERTINSERTTABLE
TRUNCATEINSERTTABLE
LOADINSERTTABLE
 ALLURI
CREATE DATABASECREATESERVER
CREATE DATABASE LOCATIONCREATESERVER
 ALLURI
CREATE TABLECREATEDATABASE
CREATE TABLE LIKECREATEDATABASE
 SELECT, INSERT, or REFRESHTABLE
CREATE TABLE AS SELECTCREATEDATABASE
 INSERTDATABASE
 SELECTTABLE
EXPLAIN CREATE TABLE AS SELECTCREATEDATABASE
 INSERTDATABASE
 SELECTTABLE
CREATE TABLE LOCATIONCREATETABLE
 ALLURI
CREATE VIEWCREATEDATABASE
 SELECTTABLE
ALTER DATABASE SET OWNERALL WITH GRANTDATABASE
ALTER TABLEALTERTABLE
ALTER TABLE SET LOCATIONALTERTABLE
 ALLURI
ALTER TABLE RENAMECREATEDATABASE
 ALLTABLE
ALTER TABLE SET OWNERALL WITH GRANTTABLE
ALTER VIEWALTERTABLE
 SELECTTABLE
ALTER VIEW RENAMECREATEDATABASE
 ALLTABLE
ALTER VIEW SET OWNERALL WITH GRANTVIEW
DROP DATABASEDROPDATABASE
DROP TABLEDROPTABLE
DROP VIEWDROPTABLE
CREATE FUNCTIONCREATEDATABASE
 ALLURI
DROP FUNCTIONDROPDATABASE
COMPUTE STATSALTER and SELECTTABLE
DROP STATSALTERTABLE
INVALIDATE METADATAREFRESHSERVER
INVALIDATE METADATA <table>REFRESHTABLE
REFRESH <table>REFRESHTABLE
REFRESH AUTHORIZATIONREFRESHSERVER
REFRESH FUNCTIONSREFRESHDATABASE
COMMENT ON DATABASEALTERDATABASE
COMMENT ON TABLEALTERTABLE
COMMENT ON VIEWALTERTABLE
COMMENT ON COLUMNALTERTABLE
DESCRIBE DATABASESELECT, INSERT, or REFRESHDATABASE
DESCRIBE <table/view>SELECT, INSERT, or REFRESHTABLE
If the user has the SELECT privilege at the COLUMN level, only the columns the user has access will show.SELECTCOLUMN
USEANYTABLE
SHOW DATABASESANYTABLE
SHOW TABLESANYTABLE
SHOW FUNCTIONSSELECT, INSERT, or REFRESHDATABASE
SHOW PARTITIONSSELECT, INSERT, or REFRESHTABLE
SHOW TABLE STATSSELECT, INSERT, or REFRESHTABLE
SHOW COLUMN STATSSELECT, INSERT, or REFRESHTABLE
SHOW FILESSELECT, INSERT, or REFRESHTABLE
SHOW CREATE TABLESELECT, INSERT, or REFRESHTABLE
SHOW CREATE VIEWSELECT, INSERT, or REFRESHTABLE
SHOW CREATE FUNCTIONSELECT, INSERT, or REFRESHDATABASE
SHOW RANGE PARTITIONS (Kudu only)SELECT, INSERT, or REFRESHTABLE
UPDATE (Kudu only)ALLTABLE
EXPLAIN UPDATE (Kudu only)ALLTABLE
UPSERT (Kudu only)ALLTABLE
WITH UPSERT (Kudu only)ALLTABLE
EXPLAIN UPSERT (Kudu only)ALLTABLE
DELETE (Kudu only)ALLTABLE
EXPLAIN DELETE (Kudu only)ALLTABLE

Compatibility:

  • The Impala GRANT and REVOKE statements are available in Impala 2.0 and later.
  • In general, Impala can make use of any roles and privileges specified by the GRANT and REVOKE statements in Hive, when your system is configured to use the Ranger service instead of the file-based policy mechanism.
  • Currently, each Impala GRANT or REVOKE statement can only grant or revoke a single privilege to or from a single role.

Cancellation: Cannot be cancelled.

HDFS permissions: This statement does not touch any HDFS files or directories, therefore no HDFS permissions are required.

Kudu considerations:

Access to Kudu tables must be granted to and revoked from principal with the following considerations:

  • Only users with the ALL privilege on SERVER can create external Kudu tables.
  • The ALL privileges on SERVER is required to specify the kudu.master_addresses property in the CREATE TABLE statements for managed tables as well as external tables.
  • Access to Kudu tables is enforced at the table level and at the column level.
  • The SELECT- and INSERT-specific permissions are supported.
  • The DELETE, UPDATE, and UPSERT operations require the ALL privilege.

Related information:

Impala Authorization, REVOKE Statement (Impala 2.0 or higher only), CREATE ROLE Statement (Impala 2.0 or higher only), DROP ROLE Statement (Impala 2.0 or higher only), SHOW Statement

Parent topic: Impala SQL Statements