Required Permissions

Updated on 2022-09-14 GMT+08:00

View PDF

Before developing an application based on this guide, ensure that the basic permissions of the users belong to a Hive group and obtain additional operation permissions from the system administrator. Table 1 describes the permission required for each operation. To run example programs, you must have the create permission for the default database.

**Table 1** Required permissions
Operation Type/Functional Object	Operation	Required Permission
DATABASE	CREATE DATABASE dbname [LOCATION "hdfs_path"]	If the HDFS path hdfs_path is specified, the ownership and RWX permission of hdfs_path are required.
	DROP DATABASE dbname	The database dbname ownership is required.
	ALTER DATABASE dbname SET OWNER user_or_role	The admin permission is required.
TABLE	CREATE TABLE table_a	The create permission for the database is required.
	CREATE TABLE table_a AS SELECT table_b	The create permission for the database and the select permission for table_b are required.
	CREATE TABLE table_a LIKE table_b	The create permission for the database is required.
	CREATE [EXTERNAL] TABLE table_a LOCATION "hdfs_path"	The create permission for the database, and the ownership and RWX permission of hdfs_path on HDFS are required.
	DROP TABLE table_a	The ownership of table_a is required.
	ALTER TABLE table_a SET LOCATION "hdfs_path"	The ownership of table_a, and the ownership and RWX permission of hdfs_path on HDFS are required.
	ALTER TABLE table_a SET FILEFORMAT	The ownership of table_a is required.
	TRUNCATE TABLE table_a	The ownership of table_a is required.
	ANALYZE TABLE table_a COMPUTE STATISTICS	The select and insert permission for table_a is required.
	SHOW TBLPROPERTIES table_a	The select permission for table_a is required.
	SHOW CREATE TABLE table_a	The select permission with grant option for table_a is required.
Alter	ALTER TABLE table_a ADD COLUMN	The ownership of table_a is required.
	ALTER TABLE table_a REPLACE COLUMN	The ownership of table_a is required.
	ALTER TABLE table_a RENAME	The ownership of table_a is required.
	ALTER TABLE table_a SET SERDE	The ownership of table_a is required.
	ALTER TABLE table_a CLUSTER BY	The ownership of table_a is required.
PARTITION	ALTER TABLE table_a ADD PARTITION partition_spec LOCATION "hdfs_path"	The insert permission for table_a, and the ownership and RWX permission of hdfs_path on HDFS are required.
	ALTER TABLE table_a DROP PARTITION partition_spec	The delete permission for table_a is required.
	ALTER TABLE table_a PARTITION partition_spec SET LOCATION "hdfs_path"	The ownership of table_a, and the ownership and RWX permission of hdfs_path on HDFS are required.
	ALTER TABLE table_a PARTITION partition_spec SET FILEFORMAT	The ownership of table_a is required.
LOAD	LOAD INPATH 'hdfs_path' INTO TABLE table_a	The insert permission for table_a, and the ownership and RWX permission of hdfs_path on HDFS are required.
INSERT	INSERT TABLE table_a SELECT FROM table_b	The update permission for table_a and select permission for table_b are required.
SELECT	SELECT * FROM table_a	The select permission for table_a is required.
	SELECT FROM table_a JOIN table_b	The select permission for table_a and table_b, the Submit permission of the default Yarn queue is required.
	SELECT FROM (SELECT FROM table_a UNION ALL SELECT FROM table_b)	The select permission for table_a and table_b, the Submit permission of the default Yarn queue is required.
EXPLAIN	EXPLAIN [EXTENDED\|DEPENDENCY] query	The RX permissions for related table directory is required.
VIEW	CREATE VIEW view_name AS SELECT ...	The select permission with grant option for related tables is required.
	ALTER VIEW view_name RENAME TO new_view_name	The ownership of view_name is required.
	DROP VIEW view_name	The ownership of view_name is required.
INDEX	CREATE INDEX index_name ON TABLE base_table_name (col_name, ...) AS index_type	The ownership of table_a is required.
	DROP INDEX index_name ON table_name	The ownership of index_name is required.
	ALTER INDEX index_name ON table_name REBUILD	The ownership of index_name is required.
FUNCTION	CREATE [TEMPORARY] FUNCTION function_name AS 'class_name'	The admin permission is required.
FUNCTION	DROP [TEMPORARY] function_name	The admin permission is required.
MACRO	CREATE TEMPORARY MACRO macro_name ...	The admin permission is required.
MACRO	DROP TEMPORARY MACRO macro_name	The admin permission is required.

NOTE:

You can perform all the previous operations when owning the admin permission of Hive and the corresponding directory permission of HDFS.
If the current component uses Ranger for permission control, you need to configure permission management policies based on Ranger. For details, see Adding a Ranger Access Permission Policy for Hive.

Parent topic: Overview

Previous topic: Common Concepts

Next topic: Development Process