CarbonData访问控制
下表提供了对CarbonData Table执行相应操作所需的Hive ACL特权的详细信息。
Hive ACL权限
|
场景 |
所需权限 |
|---|---|
|
DESCRIBE TABLE |
SELECT (of table) |
|
SELECT |
SELECT (of table) |
|
EXPLAIN |
SELECT (of table) |
|
CREATE TABLE |
CREATE (of database) |
|
CREATE TABLE As SELECT |
CREATE (on database), INSERT (on table), RW on data file, and SELECT (on table) |
|
LOAD |
INSERT (of table) RW on data file |
|
DROP TABLE |
OWNER (of table) |
|
DELETE SEGMENTS |
DELETE (of table) |
|
SHOW SEGMENTS |
SELECT (of table) |
|
CLEAN FILES |
DELETE (of table) |
|
INSERT OVERWRITE / INSERT INTO |
INSERT (of table) RW on data file and SELECT (of table) |
|
CREATE INDEX |
OWNER (of table) |
|
DROP INDEX |
OWNER (of table) |
|
SHOW INDEXES |
SELECT (of table) |
|
ALTER TABLE ADD COLUMN |
OWNER (of table) |
|
ALTER TABLE DROP COLUMN |
OWNER (of table) |
|
ALTER TABLE CHANGE DATATYPE |
OWNER (of table) |
|
ALTER TABLE RENAME |
OWNER (of table) |
|
ALTER TABLE COMPACTION |
INSERT (on table) |
|
FINISH STREAMING |
OWNER (of table) |
|
ALTER TABLE SET STREAMING PROPERTIES |
OWNER (of table) |
|
ALTER TABLE SET TABLE PROPERTIES |
OWNER (of table) |
|
UPDATE CARBON TABLE |
UPDATE (of table) |
|
DELETE RECORDS |
DELETE (of table) |
|
REFRESH TABLE |
OWNER (of main table) |
|
REGISTER INDEX TABLE |
OWNER (of table) |
|
SHOW PARTITIONS |
SELECT (on table) |
|
ALTER TABLE ADD PARTITION |
OWNER (of table) |
|
ALTER TABLE DROP PARTITION |
OWNER (of table) |
- 如果数据库下的表由多个用户创建,那么执行Drop database命令会失败,即使执行的用户是数据库的拥有者。
- 在二级索引中,当父表(parent table)触发时,insert和compaction将在索引表上触发。 如果选择具有过滤条件匹配索引表列的查询,用户应该为父表和索引表提供选择权限。
- LockFiles文件夹和LockFiles文件夹中创建的锁定文件将具有完全权限,因为LockFiles文件夹不包含任何敏感数据。
- 如果使用ACL,确保不要为DDL或DML配置任何被其他进程使用中的路径,建议创建新路径。
1) carbon.badRecords.location
2) 创建数据库时Db_Path及其他。
- 对于非安全集群中的Carbon ACL权限,hive-site.xml中的参数hive.server2.enable.doAs必须设置为false。 将此属性设置为false,查询将以hiveserver2进程运行的用户身份运行。
