One question remains: in object_specification, are the keywords TABLE and DATABASE optional?
At least for TABLE I've seen queries in the test suite that omitted it, but that was probably for SQL standards based authorization. So I guess we should assume TABLE and DATABASE are required unless someone says otherwise. -- Lefty On Tue, Oct 14, 2014 at 4:48 PM, Lefty Leverenz <leftylever...@gmail.com> wrote: > +1 > > -- Lefty > > On Tue, Oct 14, 2014 at 4:37 PM, Brett Randall <javabr...@gmail.com> > wrote: > >> +1 >> >> On 15 October 2014 07:23, Suhas Gogate <vgog...@pivotal.io> wrote: >> > Agree w/ Brett.. so may be instead of "object_type", we can use >> > "object_specification" (similar to principal specification)? >> > >> > GRANT >> > priv_type [(column_list)] >> > [, priv_type [(column_list)]] ... >> > [ON object_specification] >> > TO principal_specification [, principal_specification] ... >> > [WITH GRANT OPTION] >> > >> > REVOKE [GRANT OPTION FOR] >> > priv_type [(column_list)] >> > [, priv_type [(column_list)]] ... >> > [ON object_specification] >> > FROM principal_specification [, principal_specification] ... >> > >> > REVOKE ALL PRIVILEGES, GRANT OPTION >> > FROM user [, user] ... >> > >> > priv_type: >> > ALL | ALTER | UPDATE | CREATE | DROP >> > | INDEX | LOCK | SELECT | SHOW_DATABASE >> > >> > object_specification: >> > TABLE tbl_name | >> > DATABASE db_name >> > >> > principal_specification: >> > USER user >> > | GROUP group >> > | ROLE role >> > >> > >> > On Tue, Oct 14, 2014 at 11:06 AM, Lefty Leverenz < >> leftylever...@gmail.com> >> > wrote: >> >> >> >> I'll correct it as soon as we reach consensus. (Perhaps Thejas will >> chime >> >> in.) >> >> >> >> If you want to do it yourself, you can get wiki edit privilege quite >> >> easily. >> >> >> >> -- Lefty >> >> >> >> On Tue, Oct 14, 2014 at 7:57 AM, Brett Randall <javabr...@gmail.com> >> >> wrote: >> >>> >> >>> I agree that the use of priv_level is confusing when it is actually >> >>> referring to object_name (of type TABLE or DATABASE). I don't mind >> >>> the rolling-up of tbl_name or db_name into object_type, although it >> >>> then makes object_type: somewhat misleading. "[ON object_type >> >>> object_name]" reads well for me. >> >>> >> >>> Anything to correct the incorrect syntax on the wiki page (it is not >> >>> open for edits). >> >>> >> >>> Thanks >> >>> Brett >> >>> >> >>> On 13 October 2014 18:18, Suhas Gogate <vgog...@pivotal.io> wrote: >> >>> > Hmm.. looking at the syntax priv_level does not seem to be a keyword >> >>> > but >> >>> > rather actual name of a table or database.. so why it appears like a >> >>> > keyword >> >>> > Also priv_level is confusing and rather clear syntax would should >> look >> >>> > like >> >>> > below... >> >>> > >> >>> > Again answer to original question from Brett, yes GRANT syntax >> should >> >>> > be >> >>> > similar to REVOKE but rather priv_level should be removed from >> REVOKE >> >>> > as >> >>> > well.. :) >> >>> > >> >>> > GRANT >> >>> > priv_type [(column_list)] >> >>> > [, priv_type [(column_list)]] ... >> >>> > [ON object_type] >> >>> > TO principal_specification [, principal_specification] ... >> >>> > [WITH GRANT OPTION] >> >>> > >> >>> > REVOKE [GRANT OPTION FOR] >> >>> > priv_type [(column_list)] >> >>> > [, priv_type [(column_list)]] ... >> >>> > [ON object_type] >> >>> > FROM principal_specification [, principal_specification] ... >> >>> > >> >>> > REVOKE ALL PRIVILEGES, GRANT OPTION >> >>> > FROM user [, user] ... >> >>> > >> >>> > priv_type: >> >>> > ALL | ALTER | UPDATE | CREATE | DROP >> >>> > | INDEX | LOCK | SELECT | SHOW_DATABASE >> >>> > >> >>> > object_type: >> >>> > TABLE tbl_name >> >>> > | DATABASE db_name >> >>> > >> >>> > principal_specification: >> >>> > USER user >> >>> > | GROUP group >> >>> > | ROLE role >> >>> > >> >>> > >> >>> > On Sat, Oct 11, 2014 at 7:55 PM, Lefty Leverenz >> >>> > <leftylever...@gmail.com> >> >>> > wrote: >> >>> >> >> >>> >> Good catch, Brett. Can we have confirmation from an expert? >> >>> >> >> >>> >> Also, is object_type optional? >> >>> >> >> >>> >> It isn't clear to me why priv_level isn't called object_name. >> >>> >> >> >>> >> -- Lefty >> >>> >> >> >>> >> On Thu, Oct 9, 2014 at 8:23 AM, Brett Randall <javabr...@gmail.com >> > >> >>> >> wrote: >> >>> >>> >> >>> >>> Hi, >> >>> >>> >> >>> >>> On >> >>> >>> >> >>> >>> >> https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode#HiveDefaultAuthorization-LegacyMode-Grant/RevokePrivileges >> >>> >>> , GRANT shows as: >> >>> >>> >> >>> >>> GRANT >> >>> >>> priv_type [(column_list)] >> >>> >>> [, priv_type [(column_list)]] ... >> >>> >>> [ON object_type] >> >>> >>> TO principal_specification [, principal_specification] ... >> >>> >>> [WITH GRANT OPTION] >> >>> >>> >> >>> >>> Should that not be [ON object_type priv_level], same as REVOKE, >> >>> >>> where: >> >>> >>> >> >>> >>> object_type: >> >>> >>> TABLE >> >>> >>> | DATABASE >> >>> >>> >> >>> >>> priv_level: >> >>> >>> db_name >> >>> >>> | tbl_name >> >>> >>> >> >>> >>> Thanks >> >>> >>> Brett >> >>> >> >> >>> >> >> >>> > >> >> >> >> >> > >> > >
