ranger-hive-字段权限测试

表g005有字段a和字段b

CREATE EXTERNAL TABLE IF NOT EXISTS g005 (a int, b string) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',' STORED AS TEXTFILE LOCATION '/t/x/a';

测试结论如下:

不管如何, 都需要给表g005的hdfs路径的权限才能进行操作.
只给字段a的select权限, 不给表g005的权限, 可以操作select a from g005,无法操作select * from g005.

0: jdbc:hive2://172.16.16.3:7001/default> select a from g005;
+----+
| a  |
+----+
+----+
No rows selected (0.128 seconds)


0: jdbc:hive2://172.16.16.3:7001/default> select b from g005;
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [gee] does not have [SELECT] privilege on [g01/g005/*] (state=42000,code=40000)

0: jdbc:hive2://172.16.16.3:7001/default> select * from g005;
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [gee] does not have [SELECT] privilege on [g01/g005/*] (state=42000,code=40000)

给予字段a和b的select权限, 可以执行select * from g005的操作.

0: jdbc:hive2://172.16.16.3:7001/default> select b from g005;
+----+
| b  |
+----+
+----+
No rows selected (0.13 seconds)


0: jdbc:hive2://172.16.16.3:7001/default> select a from g005;
+----+
| a  |
+----+
+----+
No rows selected (0.159 seconds)


0: jdbc:hive2://172.16.16.3:7001/default> select * from g005;
+---------+---------+
| g005.a  | g005.b  |
+---------+---------+
+---------+---------+
No rows selected (0.123 seconds)

字段没有所谓的write权限, 要更新字段, 需要给予表级别的hive write权限.

created at 2023-08-11