โ02-15-2023 04:33 AM
Hello,
I'm confused about documentation on privilege types when using HMS.
The following page is supposed to talk about HMS
https://docs.databricks.com/sql/language-manual/sql-ref-privileges-hms.html
but it also mentions
READ FILES
Query files directly using the storage credential or external location.
WRITE FILES
Directly COPY INTO files governed by the storage credential or external location.
If I understand correctly these (Storage Credential and External Location) only apply to Unity Catalog, as per this page:
https://docs.databricks.com/sql/language-manual/sql-ref-external-locations.html
Is this a mistake in a documentation or there is something more fundamental that I don't understand?
โ02-15-2023 04:56 AM
Hi @Chris Nawaraโ , The Privilege types and Secure objects are available both in HMS and Unity Catalog. However, there is a difference in implementation across both of them. And as the document mentions "The privilege model and securable objects differ depending on whether you are using a Unity Catalog metastore or the legacy Hive metastore"
โ02-15-2023 05:11 AM
HI @Lakshay Goelโ , thanks for the rapid response!
There are two pages in the documentation, one for HMS:
https://docs.databricks.com/sql/language-manual/sql-ref-privileges-hms.html
which claims "This article describes the privilege model for the legacy Hive metastore".,
and one for Unity Catalog:
https://docs.databricks.com/sql/language-manual/sql-ref-privileges.html
This article describes the privilege model for the Unity Catalog.
READ/WRITE FILES are mentioned in both. What I want to clarify is:
โ02-17-2023 03:08 AM
Hi @Chris Nawaraโ , The two documentations talk about data governance. The concept of data governance is not exclusive to Unity Catalog. The difference here is that Unity Catalog helps you in implementing Data Governance at a much more granular level and better than HMS. So, to answer your questions
โ02-17-2023 08:12 AM
Hi @Lakshay Goelโ ,
I'm not talking about reading/writing files, but about READ FILES/WRITE FILES permission that can be granted e.g. in the following way:
GRANT READ FILES ON STORAGE CREDENTIAL <storage_credential_name> TO <principal>;
As you said, that's a governance question and some things are done way better in UC than in HMS (but for certain reasons not dependent on me UC is not an option). But there are differences between the two, so I guess my question is whether I can use this construct with both HMS and UC, or with UC only
โ02-21-2023 02:16 AM
Hi @Chris Nawaraโ
Hope all is well! Just wanted to check in if you were able to resolve your issue and would you be happy to share the solution or mark an answer as best? Else please let us know if you need more help.
We'd love to hear from you.
Thanks!
โ02-21-2023 03:10 AM
Hi @Vidula Khannaโ , thanks for checking in! Not yet, my last message is still unanswered
โ03-10-2023 06:01 PM
Hi @Chris Nawaraโ
I'm sorry you could not find a solution to your problem in the answers provided.
Our community strives to provide helpful and accurate information, but sometimes an immediate solution may only be available for some issues.
I suggest providing more information about your problem, such as specific error messages, error logs or details about the steps you have taken. This can help our community members better understand the issue and provide more targeted solutions.
Alternatively, you can consider contacting the support team for your product or service. They may be able to provide additional assistance or escalate the issue to the appropriate section for further investigation.
Thank you for your patience and understanding, and please let us know if there is anything else we can do to assist you.
Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections.
Click here to register and join today!
Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.