Ranger policies allowing create privilege for Hadoop_SQL tables

Users with authorized access through Ranger policies in Hadoop SQL with at least one of the following permissions can create extermal or managed tables on the corresponding database(s) listed in the policy.

A user creating external tables with location clauses requires one of the following additional access:
- direct read and write access to the HDFS location
- a Ranger Hadoop_SQL URL policy that provides the user read and write permissions on the HDFS location
A user creating external tables with location clauses must have read and write permissions on the HDFS location using one of the following:
- an appropriate HDFS POSIX permission
- HDFS ACL
- HDFS Ranger policy
  note
  If you choose to use an HDFS Ranger policy for this purpose, make sure to refer to the HDFS location in the Ranger policy using a path, such as: /databases/sample/username, not a URL, such as: hdfs://nameservice1/databases/sample/username . Make sure that the URL defined in Ranger does not have a trailing /.

Table 1. Permissions allowing a user to create a table
User	Permission	Database	Table	Column	UDF
hive and impala	all	database=* or <database name>
		database=* or <database name>	all (table=*)
		database=* or <database name>	all (table=*)	all (column=*)
		database=* or <database name>			udf=*
hive and impala	create	database=* or <database name>
		database=* or <database name>	all (table=*)
		database=* or <database name>	all (table=*)	all (column=*)
		database=* or <database name>			udf=*

note

For use-cases where only create access is provided and drop access is not provided explicitly, the user might implicitly get a few other permissions through the default policies added (unless the default policies are modified).
The default all database and all database, table policy usually would list {OWNER} as an authorized user.
For these use-cases where only permissions were provided at the database and udf levels, the user may still be able to create tables due to the reasons specified above.
Removing {OWNER} from these default policies would restrict access to users with specific permissions listed explicitly in policies. Removing {OWNER} is not recommended. Proceed with caution when considering such an action.
Any managed table creation using an external location would fail with the following error: A managed table's location should be located within managed warehouse root directory or within its database's managedLocationUri.