By default Sentry does not allow access to any resource unless explicitly granted. A privilege is essentially a rule that grant access to a resource. It spells out how a given resource is allowed to be accessed. For example, a table called customer_info from a database called sales is allowed to access in read mode.
Object Hierarchy in Hive
- Server
- URI
- Database
- Table
- Partition
- Columns
- View
- Index
- Table
Privileges can be granted on different objects in the Hive warehouse. Any privilege that can be granted is associated with a level in the object hierarchy. If a privilege is granted on a container object in the hierarchy, the base object automatically inherits it. For instance, if a user has ALL privileges on the database scope, then (s)he has ALL privileges on all of the base objects contained within that scope. The privileges are always positive, not negative - you start from nothing by default, and add privileges.
So if you have a privilege at a higher level in the hierarchy ( e.g. server), you cannot take anything away from this privilege at a lower level (such as database). You can only add finer-grained privileges at the lower levels.
Concrete example: Suppose we have a server which currently has two databases, DB1 and DB2. Any privilege granted at the server level will apply to DB1and DB2, and to any new databases that are created. Let's say we grant SELECT at the server level:
Server-level Database-level Result DB1 SELECT - SELECT DB2 SELECT - SELECT
Then we could add finer-grained privileges at the database level, e.g. INSERT on database DB2:
Server-level Database-level Result DB1 SELECT - SELECT DB2 SELECT INSERT SELECT,INSERT
Then if we revoked all database-level privileges on database DB, we are back to where we started:
Server-level Database-level Result DB1 SELECT - SELECT DB2 SELECT - SELECT
Changing lower-level privileges has no effect on the higher levels, which are inherited by the lower levels. This applies to both grant/revoke.