vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/mrs/component-operation-guide/mrs_01_1936.html
Yang, Tong 6182f91ba8 MRS component operation guide_normal 2.0.38.SP20 version 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Yang, Tong <yangtong2@huawei.com>
Co-committed-by: Yang, Tong <yangtong2@huawei.com>
2022-12-09 14:55:21 +00:00

113 lines
26 KiB
HTML
Raw Blame History

<a name="mrs_01_1936"></a><a name="mrs_01_1936"></a>
<h1 class="topictitle1">Spark SQL Permissions</h1>
<div id="body1595920205775"><div class="section" id="mrs_01_1936__s6004a858d29f40eeaef89370f8639e65"><h4 class="sectiontitle">SparkSQL Permissions</h4><p id="mrs_01_1936__aae3bd6c6a45e4a68b73e2e85dedf10b7">Similar to Hive, Spark SQL is a data warehouse framework built on Hadoop, providing storage of structured data like structured query language (SQL).</p>
<p id="mrs_01_1936__aa9a72bbbeb944ea29d6850e28b2a3509"><span id="mrs_01_1936__text9835101861019">MRS</span> supports users, user groups, and roles. Permission must be assigned to roles and then roles are bound to users or user groups. Users can obtain permissions only by binding a role or joining a group that is bound with a role.</p>
<div class="note" id="mrs_01_1936__n6757f921e8a64929a0cc23c62f40d757"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="mrs_01_1936__ul06971811123313"><li id="mrs_01_1936__li136971611103315">If the current component uses Ranger for permission control, you need to configure permission management policies based on Ranger. For details, see <a href="mrs_01_1860.html">Adding a Ranger Access Permission Policy for Spark2x</a>.</li><li id="mrs_01_1936__li1269751117331">After Ranger authentication is enabled or disabled on Spark2x, you need to restart Spark2x and download the client again or update the client configuration file <strong id="mrs_01_1936__b19141027101916">spark/conf/spark-defaults.conf</strong>.<p id="mrs_01_1936__p19489174814011">Enable Ranger authentication: <strong id="mrs_01_1936__b9911175014527">spark.ranger.plugin.authorization.enable=true</strong></p>
<p id="mrs_01_1936__li1269751117331p1">Disable Ranger authentication: <strong id="mrs_01_1936__b131911052195217">spark.ranger.plugin.authorization.enable=false</strong></p>
</li></ul>
</div></div>
</div>
<div class="section" id="mrs_01_1936__sdd3c0206e315427ba6190dc6ade9dd57"><h4 class="sectiontitle">Permission Management</h4><p id="mrs_01_1936__a8ccc1bb815a7410aa6249c831cf147e0">Spark SQL permission management indicates the permission system for managing and controlling users' operations on databases, to ensure that different users can operate databases separately and securely. A user can operate another user's tables and databases only with the corresponding permissions. Otherwise, operations will be rejected.</p>
<p id="mrs_01_1936__ac0ce47494adf43b6adc3db1c5fc3a9c3">Spark SQL permission management integrates the functions of Hive management. The MetaStore service of Hive and the permission granting function on the page are required to enable Spark SQL permission management.</p>
<p id="mrs_01_1936__a0c28b00ba7ed4b3b86812b0b08a365c2"><a href="#mrs_01_1936__fd3a2b5c226864acd937682b321890f11">Figure 1</a> shows the basic architecture of SparkSQL permission management. This architecture includes two parts: granting permissions on the page, and obtaining and judging a service.</p>
<ul id="mrs_01_1936__ud3f119d628884d2c83f18aaec22528e0"><li id="mrs_01_1936__l5aa1accbef214b82931e5eb5f2b7eba8">Granting permissions on the page: Spark SQL only supports granting permissions on the page. On FusionInsight Manager, choose <strong id="mrs_01_1936__b2121364073113420">System</strong> &gt; <strong id="mrs_01_1936__b1232960574113420">Permission</strong> to add or delete a user, user group, or a role, and to grant permissions or cancel permissions.</li><li id="mrs_01_1936__le41a313539774353ae8270ed264940a5">Obtaining and judging a service: When the DDL and DML commands are received from a client, Spark SQL will obtain the client's permissions on database information from MetaStore, and check whether the required permissions are included. If the required permissions are included, continue the execution. If the required permissions are not included, reject the user's operations. After the MetaStore permissions are checked, ACL permission also needs to be checked on HDFS.</li></ul>
<div class="fignone" id="mrs_01_1936__fd3a2b5c226864acd937682b321890f11"><a name="mrs_01_1936__fd3a2b5c226864acd937682b321890f11"></a><a name="fd3a2b5c226864acd937682b321890f11"></a><span class="figcap"><b>Figure 1 </b>Spark SQL permission management architecture</span><br><span><img id="mrs_01_1936__image193651085612" src="en-us_image_0000001296249948.png"></span></div>
<p id="mrs_01_1936__ac7bea09ae3634c51b2174da370115f77">Additionally, Spark SQL provides column and view permissions to meet requirements of different scenarios.</p>
<ul id="mrs_01_1936__u067d574f8b76465c9d40dbbb489203d9"><li id="mrs_01_1936__lfd97c1b96cd546adac235c406e8e2b99">Column permission<p id="mrs_01_1936__a16a3f965f0ac45db9c35e363a965b5ba"><a name="mrs_01_1936__lfd97c1b96cd546adac235c406e8e2b99"></a><a name="lfd97c1b96cd546adac235c406e8e2b99"></a>Spark SQL permission control consists of metadata permission control and HDFS ACL permission control. When Hive MetaStore automatically synchronizes table permissions to the HDFS ACL, column-level permissions are not synchronized. In other words, a user with partial or all column-level permissions cannot access the entire HDFS file using the HDFS client.</p>
<ul id="mrs_01_1936__u0d327a215a9e4b79af135e05bb2db3a1"><li id="mrs_01_1936__l206799747c554dd8b3d8afa66bfa6a1a">In <strong id="mrs_01_1936__b914841059113420">spark-sql</strong> mode, users with only column-level permissions cannot access HDFS files. Therefore, they cannot access the columns of the corresponding tables.</li><li id="mrs_01_1936__l69f427543c0746daac1c0e4f3fc3e6e1">In Beeline/JDBCServer mode, permissions are assigned among users, for example, the permissions on the table created by user A are assigned to user B.<ul id="mrs_01_1936__ueb963c2485064333a50dcde6d0dcc118"><li id="mrs_01_1936__l95bd56d6eaa04594a3819dedf572adeb"><span class="parmname" id="mrs_01_1936__parmname970522911113420"><b>hive.server2.enable.doAs</b></span>=<strong id="mrs_01_1936__b1543934748113420">true</strong> (configured in the <span class="filepath" id="mrs_01_1936__filepath482027468113420"><b>hive-site.xml</b></span> file on the Spark server)<p id="mrs_01_1936__a14f25a576999412491205748e3bffa4c">In this case, user B cannot query the information. You need to manually assign the read permission on the file in HDFS.</p>
</li><li id="mrs_01_1936__ld432a426d8524e2abaa332bc0e2b9981"><span class="parmname" id="mrs_01_1936__pd7503c5e197b48f0897f4c83ccc168f3"><b>hive.server2.enable.doAs</b></span>=false<ul id="mrs_01_1936__uc3edf23dd89c4c0babdc2428b7cf1867"><li id="mrs_01_1936__l1a5f0bafbee947fd8beceba8cc9dc83c">Users A and B are connected by Beeline. User B can query the information.</li><li id="mrs_01_1936__l0259ab1f06294d338a84e83ed99967d0">User A creates a table using SQL statements, and user B can query the table in Beeline.</li></ul>
<p id="mrs_01_1936__af377c9e0fe1a49cda620919e45932774">However, information query is not supported in other scenarios, for example, user A uses Beeline to create a table and user B uses SQL to query the table, or user A uses SQL to create a table and user B uses SQL to query the table. You need to manually assign the read permission on the file in HDFS.</p>
</li></ul>
</li></ul>
<div class="note" id="mrs_01_1936__ne7ec9ef6688d4f1b9d5278b9ef4c3a98"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1936__a974bd0a25c1749fcabf04bb8415a5c84">The <strong id="mrs_01_1936__b882741679113420">spark</strong> user is an <span id="mrs_01_1936__ph285165704717">Spark</span><span id="mrs_01_1936__ph84731358174712"> </span>administrator in HDFS ACL permission control. The permission control of the Beeline client user depends only on the metadata permission on Spark.</p>
</div></div>
</li><li id="mrs_01_1936__l05c3205f8e5c4293a6ef4337abd64301">View permission<p id="mrs_01_1936__a8dbc592dc3074dca94232d2a26a43c83"><a name="mrs_01_1936__l05c3205f8e5c4293a6ef4337abd64301"></a><a name="l05c3205f8e5c4293a6ef4337abd64301"></a>View permission indicates the operation permission such as query and modification on the view of a table, regardless of the corresponding permission of a table. Namely, if you have the permission to query the view of a table, the permission to query the table is not mandatory. The view permission is applicable to the whole table but not to the columns.</p>
<p id="mrs_01_1936__aa2332edb28db404db434b0701570d9ea">Restrictions of view and column permissions on SparkSQL are similar. The following uses the view permission as an example:</p>
<ul id="mrs_01_1936__ub7afcca99e71469395aad9fb02b80be1"><li id="mrs_01_1936__l4b5729d1d1b049c5baa648aa088430a9">In spark-sql mode, if you have only the view permission but not the table permission and do not have the permission to read HDFS, you cannot access the table data stored in HDFS. That is, you cannot query the view of the table.</li><li id="mrs_01_1936__ld534df8deb78490d8430266bf00f73d8">In Beeline/JDBCServer mode, permissions are assigned among users, for example, the permissions on the view created by user A are assigned to user B.<ul id="mrs_01_1936__uedb5c74c51a94d4fa43e73e9943f77d4"><li id="mrs_01_1936__le6282f81aa324822916018deb6c39be3"><span class="parmname" id="mrs_01_1936__parmname487760553113420"><b>hive.server2.enable.doAs</b></span>=<strong id="mrs_01_1936__b1349467226113420">true</strong> (configured in the <span class="filepath" id="mrs_01_1936__filepath734633634113420"><b>hive-site.xml</b></span> file on the Spark server)<p id="mrs_01_1936__a0e51d1f15f1941c683c02f0fbad72f46">In this case, user B cannot query the information. You need to manually assign the read permission on the file in HDFS.</p>
</li><li id="mrs_01_1936__l4e1e062851294ee5851e98da86538e77"><span class="parmname" id="mrs_01_1936__p2853f97467ed4521a68aec756c0d77bb"><b>hive.server2.enable.doAs</b></span>=false<ul id="mrs_01_1936__u6d6b1db9a77640f59abc535f3779d995"><li id="mrs_01_1936__lc33e2864748e45e3a3659921f58f779c">Users A and B are connected by Beeline. User B can query the information.</li><li id="mrs_01_1936__l18670c29459642c0888e4bd4e3aa9346">User A creates a view using SQL statements, and user B can query the view in Beeline.</li></ul>
<p id="mrs_01_1936__ad72c9fcf1f2a4796a145d2f59c12a401">However, information query is not supported in other scenarios. For example, user A uses Beeline to create a view but user B cannot use SQL to query the view, or user A uses SQL to create a view but user B cannot use SQL to query the view. You need to manually assign the read permission on the file in HDFS.</p>
</li></ul>
</li></ul>
<p id="mrs_01_1936__a8f25fdb7c392495480c7b4f10e4491ce">Permission of operations on the view of a table is as follows:</p>
<ul id="mrs_01_1936__u2ea384e7864c42efa795a1ae2fa6ca53"><li id="mrs_01_1936__l319c4194a0ff4645b0bff6c8a002928c">To create a view, you must have the CREATE permission on the database and the SELECT and SELECT_of_GRANT permissions on the tables.</li><li id="mrs_01_1936__l5fba94f09ff540a9bf64043aad8c91b0">Creating and describing a view only entail the SELECT permission on the view. Querying views and tables at the same time entails the SELECT permission on other tables. For example, to perform <strong id="mrs_01_1936__b861599516113420">select * from v1 join t1</strong>, you must have the SELECT permission on the <strong id="mrs_01_1936__b1556063813113420">v1</strong> view and <strong id="mrs_01_1936__b1292193259113420">t1</strong> table, even through the <strong id="mrs_01_1936__b221821419113420">v1</strong> view depends on the <strong id="mrs_01_1936__b1774079303113420">t1</strong> table.<div class="note" id="mrs_01_1936__n23ae33e01b0d40089897e1541cb74761"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1936__a745bb05bfa024283af35e406016dbdf5">In Beeline/JDBCServer mode, to query a view, you must have the SELECT permission on the tables. In spark-sql mode, to query a view, you must have the SELECT permission on the view and tables.</p>
</div></div>
</li><li id="mrs_01_1936__l393ee6012e2b44dcaab46ba1df31ea3a">Deleting and modifying a view entail the permission of owner on the view.</li></ul>
</li></ul>
</div>
<div class="section" id="mrs_01_1936__sdcce963a90da43bd8ec3a9d69b305ce0"><h4 class="sectiontitle">SparkSQL Permission Model</h4><p id="mrs_01_1936__a01b4a90b7b0e4a7e9234cdb1e88de003">If you want to perform SQL operations using SparkSQL, you must be granted with permissions of SparkSQL databases and tables (include external tables and views). The complete permission model of SparkSQL consists of the meta data permission and HDFS file permission. Permissions required to use a database or a table is just one type of SparkSQL permission.</p>
<ul id="mrs_01_1936__ufac35cbea89647308c85368fb462e4ed"><li id="mrs_01_1936__la830c7b70b9b43e7bd15fbc15bf93b69">Metadata permissions<p id="mrs_01_1936__a9a33af91ad004534ab9b801b40370b37"><a name="mrs_01_1936__la830c7b70b9b43e7bd15fbc15bf93b69"></a><a name="la830c7b70b9b43e7bd15fbc15bf93b69"></a>Metadata permissions are controlled at the metadata layer. Similar to traditional relational databases, SparkSQL databases involve the CREATE and SELECT permissions, and tables and columns involve the SELECT, INSERT, UPDATE, and DELETE permissions. SparkSQL also supports the permissions of <span class="parmname" id="mrs_01_1936__p9b3bd6fdea824e9a9aa9749f587402df"><b>OWNERSHIP</b></span> and <span class="parmname" id="mrs_01_1936__p4e1f57da2aa74f8987641810cf16070b"><b>ADMIN</b></span>.</p>
</li><li id="mrs_01_1936__l29dd38f75eae4660945725ebb04da69f">Data file permissions (that is, HDFS file permissions)<p id="mrs_01_1936__a8978d816a1ad4b0f9c5f7be56e866d3f"><a name="mrs_01_1936__l29dd38f75eae4660945725ebb04da69f"></a><a name="l29dd38f75eae4660945725ebb04da69f"></a>SparkSQL database and table files are stored in HDFS. The created databases or tables are saved in the <span class="filepath" id="mrs_01_1936__f2c3a8c80d1ec445292a7fcafd21611ad"><b>/user/hive/warehouse</b></span> directory of HDFS by default. The system automatically creates subdirectories named after database names and database table names. To access a database or table, you must have the <span class="parmname" id="mrs_01_1936__p6cd26950619442cfa8fad39758f4faf9"><b><span id="mrs_01_1936__text226519314920">Read</span></b></span>, <span class="parmname" id="mrs_01_1936__pd945a8be8ed249938ac7ef0f850dc5aa"><b><span id="mrs_01_1936__text865597294">Write</span></b></span> and <span class="parmname" id="mrs_01_1936__pc91ee45c8ea84d619774fa1cc382dbb4"><b><span id="mrs_01_1936__text146451822593">Execute</span></b></span> permissions on the corresponding file in HDFS.</p>
</li></ul>
<p id="mrs_01_1936__aa8e414dec6324f08b8c02b604ef527ed">To perform various operations on SparkSQL databases or tables, you need to associate the metadata permission and HDFS file permission. For example, to query SparkSQL data tables, you need to associate the metadata permission <span class="parmname" id="mrs_01_1936__pc7777e5a00c545cb90f6390582b7e145"><b>SELECT</b></span> and HDFS file permissions <span class="parmname" id="mrs_01_1936__pfd058f9cf08d49a88634b81ecd1313f6"><b><span id="mrs_01_1936__text13570728699">Read</span></b></span> and <span class="parmname" id="mrs_01_1936__pcbef0e8daa79486a8191404b3e47e386"><b><span id="mrs_01_1936__text390612335919">Execute</span></b></span>.</p>
<p id="mrs_01_1936__ac34ac844c2dc44a58ba03cd6c0f3807b">Using the management function of Manager GUI to manage the permissions of SparkSQL databases and tables, only requires the configuration of metadata permission, and the system will automatically associate and configure the HDFS file permission. In this way, operations on the interface are simplified, and the efficiency is improved.</p>
</div>
<div class="section" id="mrs_01_1936__sd6052b70b7c6456088d551f3522dedab"><h4 class="sectiontitle">Usage Scenarios and Related Permissions</h4><p id="mrs_01_1936__ae90be1b002f4420ebff75e2ef88d9e0e">Creating a database with SparkSQL service requires users to join in the hive group, without granting a role. Users have all permissions on the databases or tables created by themselves in Hive or HDFS. They can create tables, select, delete, insert, or update data, and grant permissions to other users to allow them to access the tables and corresponding HDFS directories and files.</p>
<p id="mrs_01_1936__a698c5a604e71485ba1ad768796c58f03">A user can access the tables or database only with permissions. Users' permissions vary depending on different SparkSQL scenarios.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1936__tbda3e4be6dec4dffaf5fa40862c845a4" frame="border" border="1" rules="all"><caption><b>Table 1 </b>SparkSQL scenarios</caption><thead align="left"><tr id="mrs_01_1936__r82f29561b0b543198e963ffc63f458ea"><th align="left" class="cellrowborder" valign="top" width="22.93%" id="mcps1.3.4.4.2.3.1.1"><p id="mrs_01_1936__a3e6e31fba4a04ec08da3b7411a71d896"><strong id="mrs_01_1936__ade74162adf0a42ccb4b842c33fb08939">Typical Scenario</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="77.07000000000001%" id="mcps1.3.4.4.2.3.1.2"><p id="mrs_01_1936__a46eea93afcc940b6aca27dbc24c47df0"><strong id="mrs_01_1936__a81418e7411b249a8a95cda4b372a12c4">Required Permission</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="mrs_01_1936__r41bb0b521c5c4be6b5fc69ecd1dcff82"><td class="cellrowborder" valign="top" width="22.93%" headers="mcps1.3.4.4.2.3.1.1 "><p id="mrs_01_1936__a2a3a2c2702e04498bd9cc2b5a40f9616">Using SparkSQL tables, columns, or databases</p>
</td>
<td class="cellrowborder" valign="top" width="77.07000000000001%" headers="mcps1.3.4.4.2.3.1.2 "><p id="mrs_01_1936__a84a40b040298433f9ed7ee7b0d61d1cd">Permissions required in different scenarios are as follows:</p>
<ul id="mrs_01_1936__u84e9516586104a2daf3f7e0895569e6a"><li id="mrs_01_1936__l1b611acbeb344f34bdb42bf79879f785">To create a table, the CREATE permission is required.</li><li id="mrs_01_1936__lee9d4f93bc134e61876877107edd8c9e">To query data, the SELECT permission is required.</li><li id="mrs_01_1936__l5d40fcb1b9de4686abb06726a5170e93">To insert data, the INSERT permission is required.</li></ul>
</td>
</tr>
<tr id="mrs_01_1936__r9c901630425741069a2d66da7b2f86a7"><td class="cellrowborder" valign="top" width="22.93%" headers="mcps1.3.4.4.2.3.1.1 "><p id="mrs_01_1936__ada3cce2f2bb24aefaed0f4e240a34d01">Associating and using other components</p>
</td>
<td class="cellrowborder" valign="top" width="77.07000000000001%" headers="mcps1.3.4.4.2.3.1.2 "><p id="mrs_01_1936__af8366ee5f3764f5e961ddd148cd8e2ea">In some scenarios, except the SparkSQL permission, other permissions may be also required. For example:</p>
<p id="mrs_01_1936__a82237efec1d2477ca13bfd174baa2210">Using Spark on HBase to query HBase data in SparkSQL requires HBase permissions.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="mrs_01_1936__a8695ba0a52ee4d89854a46eae835e1a2">In some special SparkSQL scenarios, other permissions must be configured separately.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1936__tc11ba9da39044191944d0c07d19b1c37" frame="border" border="1" rules="all"><caption><b>Table 2 </b>SparkSQL scenarios and required permissions</caption><thead align="left"><tr id="mrs_01_1936__ra9ef1ad1d40e4326aacc48bf3fa94945"><th align="left" class="cellrowborder" valign="top" width="31.580000000000002%" id="mcps1.3.4.6.2.3.1.1"><p id="mrs_01_1936__ab50777c8f5264217a13dad42fcf8b147"><strong id="mrs_01_1936__a6304f69353fa4e8ab0cfdf0168ba1ea0">Scenario</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="68.42%" id="mcps1.3.4.6.2.3.1.2"><p id="mrs_01_1936__a36c99576177c4dc296836a5c509350de"><strong id="mrs_01_1936__a16f6b45b93ce49e995aa4f662508aeb8">Required Permission</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="mrs_01_1936__rb8108db8278a40a0865d73781419fa0d"><td class="cellrowborder" valign="top" width="31.580000000000002%" headers="mcps1.3.4.6.2.3.1.1 "><p id="mrs_01_1936__a11a77d57fd894942bef4f47f3882e258">Creating SparkSQL databases, tables, and external tables, or adding partitions to created Hive tables or external tables when data files specified by Hive users are saved to other HDFS directories except <strong id="mrs_01_1936__b1205386690113420">/user/hive/warehouse</strong></p>
</td>
<td class="cellrowborder" valign="top" width="68.42%" headers="mcps1.3.4.6.2.3.1.2 "><ul id="mrs_01_1936__u9fed7b77bd784d94ab5c3d7e1abbffbc"><li id="mrs_01_1936__l50c32baa7023468a8f33dd4d852af999">The directory must exist, the client user must be the owner of the directory, and the user must have the <strong id="mrs_01_1936__b1778050213113420">Read</strong>, <strong id="mrs_01_1936__b291292926113420">Write</strong>, and <strong id="mrs_01_1936__b226617904113420">Execute</strong> permissions on the directory. The user must have the <strong id="mrs_01_1936__b1216080347113420">Read</strong> and <strong id="mrs_01_1936__b812214588113420">Execute</strong> permissions of all the upper-layer directories of the directory.</li><li id="mrs_01_1936__le606db0df51749e6955f8d7af59a9df3">If the Spark version is later than 2, the <strong id="mrs_01_1936__b1255423036113420">Create</strong> permission of the Hive database is required if you want to create a HBase table. However, in Spark 1.5, the <strong id="mrs_01_1936__b1002100294113420">Create</strong> permissions of both the Hive database and HBase namespace are required if you want to create a HBase table.</li></ul>
</td>
</tr>
<tr id="mrs_01_1936__r812d70a1d1884998983ae4fcb34909e2"><td class="cellrowborder" valign="top" width="31.580000000000002%" headers="mcps1.3.4.6.2.3.1.1 "><p id="mrs_01_1936__a6067cc97d5534a098c0b5d61a4705ea2">Importing all the files or specified files in a specified directory to the table using load</p>
</td>
<td class="cellrowborder" valign="top" width="68.42%" headers="mcps1.3.4.6.2.3.1.2 "><ul id="mrs_01_1936__u59b971aba5634a028eeaaa983b7e04cf"><li id="mrs_01_1936__l17e39b6750f84839ac6f96d7a7e9315a">The data source is a Linux local disk, the specified directory exists, and the system user <strong id="mrs_01_1936__b209790798113420">omm</strong> has read and execute permission of the directory and all its upper-layer directories. The specified file exists, and user <strong id="mrs_01_1936__b248061182113420">omm</strong> has the <strong id="mrs_01_1936__b477516532113420">Read</strong> permission on the file and has the <strong id="mrs_01_1936__b311233826113420">Read</strong> and <strong id="mrs_01_1936__b1469912389113420">Execute</strong> permissions on all the upper-layer directories of the file.</li><li id="mrs_01_1936__lc294eaef42c240e2bb10ab267e59e662">The data source is HDFS, the specified directory exists, and the SparkSQL user is the owner of the directory and has the <strong id="mrs_01_1936__b1498477227113420">Read</strong>, <strong id="mrs_01_1936__b826344958113420">Write</strong>, and <strong id="mrs_01_1936__b211464223113420">Execute</strong> permissions on the directory and its subdirectories, and has the <strong id="mrs_01_1936__b66386367113420">Read</strong> and <strong id="mrs_01_1936__b1567594176113420">Execute</strong> permissions on all its upper-layer directories. The specified file exists, and the SparkSQL user is the owner of the file and has the <strong id="mrs_01_1936__b1070910416113420">Read</strong>, <strong id="mrs_01_1936__b1301856429113420">Write</strong>, and <strong id="mrs_01_1936__b1860033717113420">Execute</strong> permissions on the file and has the <strong id="mrs_01_1936__b1790925537113420">Read</strong> and <strong id="mrs_01_1936__b1932297773113420">Execute</strong> permissions on all its upper-layer directories.</li></ul>
</td>
</tr>
<tr id="mrs_01_1936__r4b6081817f4d4db5a6f5420bb0f4552b"><td class="cellrowborder" valign="top" width="31.580000000000002%" headers="mcps1.3.4.6.2.3.1.1 "><p id="mrs_01_1936__a5767c31c68fa454f9956a8aaf9ab1826">Creating or deleting functions or modifying any database</p>
</td>
<td class="cellrowborder" valign="top" width="68.42%" headers="mcps1.3.4.6.2.3.1.2 "><p id="mrs_01_1936__a6f895f9f3aa8429ba1c0979be8eb3d56">The <strong id="mrs_01_1936__b661763004113420">ADMIN</strong> permission is required.</p>
</td>
</tr>
<tr id="mrs_01_1936__r7c209b4789e14f0c8a7b3420fb0451c4"><td class="cellrowborder" valign="top" width="31.580000000000002%" headers="mcps1.3.4.6.2.3.1.1 "><p id="mrs_01_1936__a8c8a206ca8e44d60afd313570cb773de">Performing operations on all databases and tables in Hive</p>
</td>
<td class="cellrowborder" valign="top" width="68.42%" headers="mcps1.3.4.6.2.3.1.2 "><p id="mrs_01_1936__af3275d46ccc244508698b678afddfbe7">The user must be added to the <strong id="mrs_01_1936__b1842661968113420">supergroup</strong> user group, and be assigned the <strong id="mrs_01_1936__b512599771113420">ADMIN</strong> permission.</p>
</td>
</tr>
<tr id="mrs_01_1936__row204714012419"><td class="cellrowborder" valign="top" width="31.580000000000002%" headers="mcps1.3.4.6.2.3.1.1 "><p id="mrs_01_1936__p824485385014">After assigning the <strong id="mrs_01_1936__b1860650344113420">Insert</strong> permission on some DataSource tables, assigning the <strong id="mrs_01_1936__b940274945113420">Write</strong> permission on table directories in HDFS before performing the insert or analyze operation</p>
</td>
<td class="cellrowborder" valign="top" width="68.42%" headers="mcps1.3.4.6.2.3.1.2 "><p id="mrs_01_1936__p112441453125017">When the <strong id="mrs_01_1936__b84433767113420">Insert</strong> permission is assigned to the <strong id="mrs_01_1936__b1991683927113420">spark datasource</strong> table, if the table format is text, CSV, JSON, Parquet, or ORC, the permission on the table directory is not changed. After the <strong id="mrs_01_1936__b618825521113420">Insert</strong> permission is assigned to the DataSource table of the preceding formats, you need to assign the <strong id="mrs_01_1936__b1258343508113420">Write</strong> permission to the table directories in HDFS separately so that users can perform the insert or analyze operation on the tables.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="mrs_01_1935.html">SparkSQL Permission Management(Security Mode)</a></div>
</div>
</div>
View Git Blame Copy Permalink