更新时间:2023-03-17 GMT+08:00

CarbonData访问控制

下表提供了对CarbonData Table执行相应操作所需的Hive ACL特权的详细信息。

前提条件

已经设置了表5表6中Carbon相关参数。

Hive ACL权限

表1 CarbonData表级操作所需的Hive ACL权限

场景

所需权限

DESCRIBE TABLE

SELECT (of table)

SELECT

SELECT (of table)

EXPLAIN

SELECT (of table)

CREATE TABLE

CREATE (of database)

CREATE TABLE As SELECT

CREATE (on database), INSERT (on table), RW on data file, and SELECT (on table)

LOAD

INSERT (of table) RW on data file

DROP TABLE

OWNER (of table)

DELETE SEGMENTS

DELETE (of table)

SHOW SEGMENTS

SELECT (of table)

CLEAN FILES

DELETE (of table)

INSERT OVERWRITE / INSERT INTO

INSERT (of table) RW on data file and SELECT (of table)

CREATE INDEX

OWNER (of table)

DROP INDEX

OWNER (of table)

SHOW INDEXES

SELECT (of table)

ALTER TABLE ADD COLUMN

OWNER (of table)

ALTER TABLE DROP COLUMN

OWNER (of table)

ALTER TABLE CHANGE DATATYPE

OWNER (of table)

ALTER TABLE RENAME

OWNER (of table)

ALTER TABLE COMPACTION

INSERT (on table)

FINISH STREAMING

OWNER (of table)

ALTER TABLE SET STREAMING PROPERTIES

OWNER (of table)

ALTER TABLE SET TABLE PROPERTIES

OWNER (of table)

UPDATE CARBON TABLE

UPDATE (of table)

DELETE RECORDS

DELETE (of table)

REFRESH TABLE

OWNER (of main table)

REGISTER INDEX TABLE

OWNER (of table)

SHOW PARTITIONS

SELECT (on table)

ALTER TABLE ADD PARTITION

OWNER (of table)

ALTER TABLE DROP PARTITION

OWNER (of table)

  • 如果数据库下的表由多个用户创建,那么执行Drop database命令会失败,即使执行的用户是数据库的拥有者。
  • 在二级索引中,当父表(parent table)触发时,insert和compaction将在索引表上触发。 如果选择具有过滤条件匹配索引表列的查询,用户应该为父表和索引表提供选择权限。
  • LockFiles文件夹和LockFiles文件夹中创建的锁定文件将具有完全权限,因为LockFiles文件夹不包含任何敏感数据。
  • 如果使用ACL,确保不要为DDL或DML配置任何被其他进程使用中的路径,建议创建新路径。

    以下配置项需要配置路径:

    1) carbon.badRecords.location

    2) 创建数据库时Db_Path及其他。

  • 对于非安全集群中的Carbon ACL权限,hive-site.xml中的参数hive.server2.enable.doAs必须设置为false。 将此属性设置为false,查询将以hiveserver2进程运行的用户身份运行。