Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here. Want to know more about what has changed? Check out the Community News blog.
Created on 01-03-201709:27 PM - edited 08-17-201906:10 AM
ACCESS MODEL [Let's say in this case TERADATA]
User U1 can only read all tables in Database D1 & D2
U2 can Read Database D1 and INSERT , UPDATE , DELETE , SELECT all
tables in Database D2. User U2 Cannot DROP or Create Table in Database
User U3 can SELECT,INSERT,UPDATE,DELETE,DROP,CREATE (ALL ACCESS) on Database D1 and D2
OBJECTIVE :- Want to have same model on Hadoop with one improvement.
will have Storage Groups and ACLs – grouping the tables of same subject
area. One Database may have more than one storage Group. Say SG11 ,
SG12 and SG21 and SG22 (SG11 and SG12 are associated with database D1
and SG21 & SG22 with D2)
User U1 should read all Tables in D1 and D2 .
U2 should only INSERT,UPDATE,DELETE and SELECT Tables covered by SG11 (
in Database D1) - U2 will not be able to Update tables in SG12 ( in
Database D1) but can read
User U3 can do all operations on SG11,SG12 ( D1) and SG21,SG22 (D2) and is OWNER of all the objects in D1 and D2 .
U3 is admin user and is Owner of the object.
is batch Id and can write (insert , update , delete , select) to its
storage group objects . U2 an read all objects in all selected Storage
U1 is regular user and can read selected storage Groups. (there is more to it but do not want to complicate)
U1 gets “r” via SG1* and SG2*
U2 gets “rwx” via SG11 and “r” via SG12 (U2 can drop a table due to SG11) .
grant U2 a role HIVE that has UPDATE, DELETE,INSERT,SELECT but no DROP –
It has ACL that allows these operations at File level without being
U2 tries to Drop a table in SG11 but Hive Role/ authentication does not allow this. U2 can still update rows in table of SG11.