[root@hadoop -]# useradd hive 
[root@hadoop -]# sudo su -hadoop
[hadoop@hadoop ~]$ hive

hive> show databases;
OK
default
hive_test
Time taken: 2.578 seconds, Fetched: 2 row(s) 
hive> use hive test;
OK
Time taken: 0.013 seconds 
hive> show tables;
OK
bucket_table
partition_table
test
Time taken: 0.017 seconds, Fetched: 3 row(s) 

将test的查询权限赋给hive角色
hive> grant select on table test to user hive;
OK
Time taken: 0.119 seconds 
hive>

[hadoop@hadoop ~]$ sudo su -hive
切换后记得配置此用户的相关环境变量

[hive@hadoop ~]$ hive
hive> use hive_test;
OK
Time taken: 2.537 seconds
hive> select from test limit 1;
OK
9f864c5c1c394014996a57d16491b5d1	Tom	["sing","reading"]	{"computer":91, "chinese" : 81, "math" : 70, "english": 72}
Time taken: 1.166 seconds, Fetched: 1 row(s) 
hive>

hive用户创建一个表
hive> create database hive test2;
OK
Time taken: 0.043 seconds 
hive> use hive test2;
OK
Time taken: 0.009 seconds
hive> create table test2 (id int, name string);
OK
Time taken: 0.207 seconds
将test2的查询权限赋给hadoop角色；这里是有安全隐患的 hive可以将test2 grant给hadoop用户，hadoop用户也可以将test2 grant给其他用户。hive当中没有高级管理员概念。
hive> grant select on table test2 to user hadoop;
OK

<dependencies>
    <dependency>
        <groupId>junit</groupId>
        <artifactId>junit</artifactId>
        <version>4.11</version>
        <scope>test</scope>
    </dependency>
    <dependency>
        <groupId>org.apache.hive</groupId>
        <artifactId>hive-exec</artifactId>
        <version>2.3.6</version>
    </dependency>
</dependencies>

<build>
    <plugins>
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-compiler-plugin</artifactId>
            <version>3.8.0</version>
            <configuration>
                <source>1.8</source>
                <target>1.8</target>
            </configuration>
        </plugin>
    </plugins>
</build>

import com.google.common.base.Joiner;
import org.apache.hadoop.hive.ql.parse.*;
import org.apache.hadoop.hive.ql.session.SessionState;

public class HiveAdmin extends AbstractSemanticAnalyzerHook {
    
	//将hadoop命名为管理员
    private static String[] admins = {"hadoop"};

    @Override
    public ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context, ASTNode ast) throws SemanticException {
        switch (ast.getToken().getType()) {
            case HiveParser
                    .TOK_CREATEDATABASE:
            case HiveParser.TOK_DROPDATABASE:
            case HiveParser.TOK_CREATEROLE:
            case HiveParser.TOK_DROPROLE:
            case HiveParser.TOK_GRANT:
            case HiveParser.TOK_REVOKE:
            case HiveParser.TOK_GRANT_ROLE:
            case HiveParser.TOK_REVOKE_ROLE:
            case HiveParser.TOK_CREATETABLE:
                String userName = null;
                if (SessionState.get() != null && SessionState.get().getAuthenticator().getUserName() != null) {
                    userName = SessionState.get().getAuthenticator().getUserName();
                }
                boolean isAdmin = false;
                for (String admin : admins) {
                    if (admin.equalsIgnoreCase(userName)) {
                        isAdmin = true;
                        break;
                    }
                }
                if (!isAdmin) {
                    throw new SemanticException(userName + "is not Admin, except " + Joiner.on(",").join(admins));
                }
                break;
            default:
                break;
        }
        return ast;
    }

}

<property> 
	<name>hive.users.in.admin.role</name>
	<value>hadoop</value>
	<description>定义超级管理员启动的时候会自动创建Comma separated list of users who are in admin role for bootstrapping.More users can be added in ADMIN role later.</description> 
</property>
<property> 
	<name>hive.metastore.authorization.storage.checks</name>
	<value>true</value>
</property>
<property>
	<name>hive.metastore.execute.setugi</name>
	<value>false</value>
</property>
<property> 
	<name>hive.security.authorization.enabled</name>
	<value>true</value>
	<description>开启权限enable or disable thehive client authorization</descrption>
</property>
<property>
	<name>hive. security.authorization.createtable.owner.grants</name>
	<value>ALL</value>
	<description>表的创建者对表拥有所有权限the privileges automaticallygrantedo the owner whenever a table gets created. An example like"select, drop" wil] grant select and drop privilege to the owner ofthe table</description>
</property>
<property>
	<name>hive.security.authorization.task.factory</name> 
	<value>org.apache.hadoop.hive.ql.parse.authorization. HiveAuthorizationTaskFactoryImpl</value>
	<description>进行权限控制的配置。</description>
</property>
<property>
	<name>hive.semantic.analyzer.hook</name> 
	<value>com.kun.hive.security.HiveAdmin</value>
	<description>使用钩子程序,识别超级管理员,进行授权控制。</description>
</property>

当前用户是hadoop

[hadoop@hadoop ~]$ hive --service metastore &
[hadoop@hadoop ~]$ hive

hive> set role admin;
ОК
Time taken: 2.485 seconds 
hive> show roles;
ОК
admin
public
Time taken: 0.081 seconds, Fetched: 2 row(s) 
hive> use hive_test;
ОК
Time taken: 0.019 seconds 
hive> show tables;
ОК
bucket_table
partition_table
test
Time taken: 0.017 seconds, Fetched: 3 row(s)
hive> grant select on table bucket_table to user hive;
ОK
Time taken: 0.099 seconds 
hive> 

[hadoop@hadoop lib]$ logout
[root@hadoop ~]$ sudo su - hive

[hive@hadoop ~]$ hive

hive不属于管理员角色，所以无法进行set role admin 和 show roles
hive> set role admin;
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql. exec.D DLTask. hive doesn't belong to role admin
hive> show roles;
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.D DLTask. Current user : hive is not allowed to list roles. User has to belong to ADMIN role and have it as current role, for this action.

hive> use hive_test2;
OK
Time taken: 0.018 seconds 
hive> show tables;
OK
test2
Time taken: 0.02 seconds, Fetched: 1 row(s) 

hive用户无法将test2 grant给其他用户
hive> grant select on table test2 to user root;
FAILED: SemanticException hiveis not Admin, except hadoop