New in CDH 5.2: Apache Sentry Delegated GRANT and REVOKE

Categories: CDH Hive Hue Impala Platform Security & Cybersecurity

This new feature, jointly developed by Cloudera and Intel engineers, makes management of role-based security much easier in Apache Hive, Impala, and Hue.

Apache Sentry (incubating) provides centralized authorization for services and applications in the Apache Hadoop ecosystem, allowing administrators to set up granular, role-based protection on resources, and to review them in one place. Previously, Sentry only designated administrators to GRANT and REVOKE privileges on an authorizable object. In Apache Sentry 1.5.0 (shipping inside CDH 5.2), we have implemented a new feature (SENTRY-327) that allows admin users to delegate the GRANT privilege to other users using WITH GRANT OPTION. If a user has the GRANT OPTION privilege on a specific resource, the user can now grant the GRANT privilege to other users on the same resource. Apache Hive, Impala, and Hue have all been updated to take advantage of this new Sentry functionality.

In this post, we’ll provide an overview of how this new feature works.

Delegating GRANT/REVOKE Privileges

You can use Hive or Impala to grant privileges using the GRANT ... WITH GRANT OPTION SQL statement:

Note: Impala currently only supports granting/revoking a single privilege at a time (IMPALA-1341).

When WITH GRANT OPTION is specified, the command will give members of the target role privileges to issue their own GRANT

statements. Initially, only a pre-defined set of Sentry admin users can issue GRANT statements.

For example, the following commands will create a new role, sales_dept, and provide members of the role the GRANT OPTION privilege on database salesdb:

This will give users belonging to the sales_dept role the ability to grant equivalent or lesser privileges—privileges on salesdb or tables under salesdb—to other roles. This status includes the ability to grant using the GRANT OPTION privilege.

Thus, a user who belongs to the sales_dept role will now have privileges to execute commands such as:

The GRANT OPTION privilege also allows for granting the GRANT OPTION to other roles. For example, the following will grant the GRANT OPTION privilege to role marketing_dept, which will give members of that role the ability to grant it to other roles:

Viewing Granted Privileges

When managing role privileges, you can determine which privileges have been granted to a role and whether the privilege was granted using WITH GRANT OPTION, using:

This statement returns all privileges granted to a role by all users. It can be executed by admin users or by any user who currently belongs to the role.

An example from Impala is shown below. The statement returns similar results in Hive:

Revoking the GRANT privilege

If a user has the GRANT OPTION privilege, they can also revoke privilege from roles. The Impala and Hive syntax for REVOKE is:

To revoke only the grant option from a privilege, the GRANT OPTION FOR clause can be added to a REVOKE statement. When this clause is specified, the target privilege will be preserved, but users in the role will no longer be allowed to issue GRANT statements.

Hive does not currently support the GRANT OPTION FOR, but the REVOKE command without this clause will always revoke all privileges (those granted with and without WITH GRANT OPTION). For example, if a role named sales_dept was granted SELECT and INSERT privileges on table marketing:

The following REVOKE will only remove the INSERT on the table marketing, preserving the SELECT privilege:

Furthermore, we support the revocation of child privileges when executing the REVOKE command. To revoke all privileges on the database salesdb along with all privileges granted on all child tables:

Future Work

The Hive integration with Sentry is based on Hive 0.13, which does not support the GRANT OPTION FOR clause in the Hive revoke command. In Hive 0.14.0, this syntax is supported and the grant option for a privilege can be removed while still keeping the privilege using REVOKE. (For more information, see SENTRY-473.)

Impala syntax will also be enhanced to match the Hive syntax for granting/revoking multiple privileges to/from multiple roles in a single statement (IMPALA-1341).


This feature is co-developed by Intel and Cloudera. Many thanks to everyone who participated in this work (listed in alphabetical order):

  • Arun Suresh
  • Dapeng Sun
  • Haifeng Chen
  • Lenni Kuff
  • Prasad Mujumdar
  • Sravya Tirukkovalur
  • Xiaomeng Huang

Xiaomeng Huang is a Software Engineer at Intel.

Lenni Kuff is a Software Engineer at Cloudera.