I have few questions on granting access prvilege on hdfs uri as part of sentry integration (hive,hdfs).
1) Is it possible to grant read only privilege on hdfs uri? ( when i do grant select on hdfs uri it is giving all privilege (*) on the uri).
2) If i want to give full permission for a hive db on the hdfs uri do i need to specify * at the end so that all the underlying tables will also have that permission ( grant all on uri 'hdfs://namespace/production/test_db/* to role ...) or is it ok if i grant only on the db path ( grant all on uri 'hdfs://namespace/production/test_db to role ... ), so that tables created under will also inherit this privileges?
1.) I think there is Jira SENTRY-862 open for that, but currently the ALL privilege is the only possibility.
They say there: "We support only "all" on URI by design. I do not remember exactly what were the various reasons. But, mainly because we do not deal with explicit select/insert to uri from hive sql."
To better put in scope, the URI grants were mostly needed because of LOAD DATA statements, and that statement also needs to write that path (move the files away from that location too).
2.) If you use managed tables, you can easily give permission just for the DB, and you do not need to specify the wildcard (*). If you use external tables, you also need to give permissions for the URI too, and you also do not need to specify the wildcard (*), because it will be applied to all sub-paths starting from that.
Hope this helps,
Customer Operations Engineer, Cloudera