I have created a Hive database HR, which has 3 tables person, dept, contact.I have two users for HR -ad1 and us1. ad1-Admin us1-User. I want us1 to access only contact table and nothing else. How do I go about it in Hive?
This is what I tried:
1) Logged into Hive as ad1
2) Executed set hive.security.authorization.enabled=true;
3) create role r1
4) grant select on table contact to role r1;
5) grant role r1 to user us_1
Now when I log into Hive as us_1, I'm still able to query all tables
What am I doing wrong?
The way to handle security in Hive is via Unix POSIX. Secure the unix folder where Hive stores data, and you will secure access
Related
Currently, I am granting access to my colleagues using the following code:
Grant select on tablename to user1, user2, user3 with grant option;
However, I created a table that contains the user id and name and my goal is to grant access to a certain table to all the users within the column that contains the list of active users.
Something like: Grant select on database.tablename to (select userid from table_ative_users) with grant option;
I used to do it using a Stored Procedure but right now, I can't use it, so, I am looking for an alternative.
Many thanks
Using SYSTEM user I create a new user. After that I try to give this user access to specific columns only in 1 table, but get the error that this table does not exist. Meaning that SYSTEM user does not have access to this table. Unfortunately, the user that has access to the normal production tables cannot manage user privileges and access. What are my options?
CREATE USER test1 IDENTIFIED BY 123456;
GRANT UPDATE (extinvno, invoiceno) ON invoice TO test1;
Edit: Solution
Created 3 views that I needed. GRANT-ed the new user SELECT and UPDATE on 2 of the views and SELET on the 3rd. For the new user I had to use the chema to refer to the views: chema.view
If SYSTEM doesn't own the table then you need to specify who does; for example if the table was in the HR schema you would do:
GRANT UPDATE (extinvno, invoiceno) ON HR.invoice TO test1;
... using the real owning schema name, of course.
It isn't that SYSTEM doesn't have access to the table; it's that by default it's looking for SYSTEM.invoice, which doesn't exist.
The table owner could also grant the update privilege to test1.
I do have admin permission for a certain Azure SQL Server. So using my admin login I created a database user against a specific Azure SQL database in the following manner:-
CREATE USER myuser WITH PASSWORD = '<pwd>'
ALTER ROLE [db_datareader] ADD MEMBER [myuser]
After this I successfully logged into the database using this new credential for myuser. I discovered that while I can query data from most of the tables , there are certain tables for which I can't select any data. I can see the table name in SSMS , also no error for SELECT queries against those tables I receive , the only issue is that SELECT doesn't return any data ( 0 rows ) for those tables. If I fire SELECT using my admin credentials , I can very much see the result.
I tried to reproduce the same issue using the same commands which you have shared.
FYI, as a part of repro, I created an Azure SQL Server and then SQL database in the same server. I added three sample tables to match the scenario as you mentioned. Then I created user and grant db_datareader role with the same commands as you mentioned. It worked fine for me. I’m able to read the data of all the table in that specific database.
I suggest you consider How to Create Login, User & Assign Permissions in SQL Server and Overview of db_datareader role.
Alternatively, you can grant select permission to those tables which you are unable to read using below command:
GRANT SELECT ON <tablename> TO <user>;
Use case-
After learning that AD Passthrough is not working as expected on Synapse Serverless pool with ADLS Gen-2 ; I am trying to use traditional method of creating external tables on Serverless Pool and granting READ ONLY access to users to a set of tales and enable WRITE BACK option to another ADLS Gen-2 container using CETAS option .
Looks like I am stuck there as well - to move forward.
I have tried to explain my scenario in below image.
Now - I have 5 external tables on a database where I have a READ ONLY access to the schema's where those table exists.
I wanted to create few more tables - which ideally does a JOIN between those 5 tables and aggregates the data and writes back to ADLS Gen-2 for reporting/data science purpose.
What access should I grant for WRITE back purpose ?
I tried creating new schema and granting ALTER, CONTROL, SELECT access to that schema along with CREATE TABLE access at database level . I dont want to grant more access to database level - as it has data scoped credential having managed identity referenced- which will grant full access on ROC container objects.
Grant select on SCHEMA ::sandbox to sls_svc ;
Grant ALTER on SCHEMA ::sandbox to sls_svc ;
GRANT CONTROL ON SCHEMA::[sandbox ] TO [sls_svc];
Grant CREATE TABLE to sls_svc;
CREATE EXTERNAL TABLE sanbox.revenue-by-month
WITH (
LOCATION = '/ROW/revenue-by-month/',
DATA_SOURCE = ADLS-ROW,
FILE_FORMAT = EF_PARQUET
)
AS
SELECT * from table1;
all users in sls_svc role has STORAGE DATA CONTRIBUTOR access on READ-WRITE-CONTAINER (ROW)
Below are the error messages I am getting
I also tried creating a new database. hoping that i can grant full access on that database - so that cross DB query can work - but I am out of luck there as well.
Any thoughts ?
It seems that you have correctly set permissions https://learn.microsoft.com/en-us/azure/synapse-analytics/sql/develop-storage-files-overview?tabs=impersonation#permissions
Are you sure that you can successfully execute just select statement and that the issue is not in SELECT part?
GRANT CONNECT to the database that was created
+
GRANT DDL_ADMIN access
resolved the issue
I've just imported an ORACLE database into an instance of Oracle 10 XE running on a Linux system.
The database has tables split across a number of tablespaces, and the sys user is able to access all the tables without problem.
I've created a new user (fred) and I'm unable to access any of the tables whilst logged on as this user. I've set the user's default tablespace in an attempt to be able to access the tables whilst logged on as fred.
alter user fred default tablespace t1;
When I then connect as fred and attempt to look at a table in tablespace t1, I receive the following error:
describe table1;
ERROR:
ORA-04043: object table1 does not exist
How can I configure the user fred, so that he can easily access all the tables in the various tablespaces (t1, t2, t3... t6), like the user sys currently can?
I've never really dabbled with oracle in the past, but have used MS SQL quite extensively.
In Oracle the concept of schemas and users is different than that of other DBMS. In order to get table access for user fred, you will need to create synonyms of those table and sys user needs to issue grants (eg select, update e.t.c) on those tables.
Some useful links.
Managing User Privileges and Roles
GRANT
Oracle/PLSQL: Grant/Revoke Privileges