Privileges and securable objects in the Hive metastore
Applies to: Databricks SQL Databricks Runtime
A privilege is a right granted to a principal to operate on a securable object in the metastore.
The privilege model and securable objects differ depending on whether you are using a Unity Catalog metastore or the legacy Hive metastore. This article describes the privilege model for the legacy Hive metastore. If you are using Unity Catalog, see Privileges and securable objects in Unity Catalog.
Securable objects in the Hive metastore
A securable object is an object defined in the metastore on which privileges can be granted to a principal.
To manage privileges on any object you must be its owner or an administrator.
Syntax
securable_object
{ ANY FILE |
CATALOG [ catalog_name ] |
{ SCHEMA | DATABASE } schema_name |
FUNCTION function_name |
[ TABLE ] table_name |
VIEW view_name
}
Parameters
ANY FILE
Controls access to the underlying filesystem.
CATALOG
catalog_nameControls access to the entire data catalog.
{ SCHEMA | DATABASE }
schema_nameControls access to a schema.
FUNCTION
function_nameControls access to a named function.
[ TABLE ]
table_nameControls access to a managed or external table.
VIEW
view_nameControls access to SQL views.
Inheritance model
Securable objects in the Hive metastore are hierarchical and privileges are inherited downward. This means that granting or denying a privilege on the CATALOG
automatically grants or denies the privilege to all schemas in the catalog. Similarly, privileges granted on a schema object are inherited by all objects in that schema. This pattern is true for all securable objects.
If you deny a user privileges on a table, the user can't see the table by attempting to list all tables in the schema. If you deny a user privileges on a schema, the user can't see that the schema exists by attempting to list all schemas in the catalog.
Privilege types
The following table shows which privileges are associated with which securable objects.
Privilege type | ANONYMOUS FUNCTION | ANY FILE | CATALOG | SCHEMA | FUNCTION | TABLE | VIEW | |
---|---|---|---|---|---|---|---|---|
CREATE | Yes | Yes | ||||||
MODIFY | Yes | Yes | Yes | Yes | ||||
READ_METADATA | Yes | Yes | Yes | Yes | ||||
SELECT | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |
USAGE | Yes | Yes |
ALL PRIVILEGES
Used to grant or revoke all privileges applicable to the securable and its child objects without explicitly specifying them. This expands to all available privileges at the time permissions checks are made.
CREATE
Create objects within the catalog or schema.
MODIFY
COPY INTO, UPDATE DELETE, INSERT, or MERGE INTO the table.
If the securable_object is the
hive_metastore
or a schema within it, grantingMODIFY
will grantMODIFY
on all current and future tables and views within the securable object.READ_METADATA
Discover the securable object in SHOW and interrogate the object in DESCRIBE
If the securable object is the
hive_metastore
catalog or a schema within it, grantingREAD_METADATA
will grantREAD_METADATA
on all current and future tables and views within the securable object.READ FILES
Query files directly using the storage credential or external location.
SELECT
Query a table or view, invoke a user defined or anonymous function, or select
ANY FILE
. The user needsSELECT
on the table, view, or function, as well asUSAGE
on the object's schema and catalog.If the securable object is the
hive_metastore
or a schema within it, grantingSELECT
will grantSELECT
on all current and future tables and views within the securable object.USAGE
Required, but not sufficient to reference any objects in a catalog or schema. The principal also needs to have privileges on the individual securable objects.
WRITE FILES
Directly COPY INTO files governed by the storage credential or external location.
Examples
-- Grant a privilege to the user alf@melmak.et
> GRANT SELECT ON TABLE t TO `alf@melmak.et`;
-- Revoke a privilege from the general public group.
> REVOKE USAGE ON SCHEMA some_schema FROM `alf@melmak.et`;