zoukankan      html  css  js  c++  java

  • hive集成sentry

    1、安装配置sentry

    详细步骤见上一篇安装配置sentry

    2、配置hive

    2.1 Hive-server2集成Sentry

    在 /etc/hive/conf/hive-site.xml中添加:

    <property>
   <name>hive.security.authorization.task.factory</name>
   <value>org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl</value>
</property>
<property>
   <name>hive.server2.session.hook</name>
   <value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value>
</property>
<property>
   <name>hive.sentry.conf.url</name>
   <value>file:///etc/hive/conf/sentry-site.xml</value>
</property>

    在/etc/hive/conf目录下创建sentry.xml文件,并添加:

    <property>
    <name>hive.sentry.server</name>
    <value>Sentry_HOSTNAME</value>
</property>
<property>
    <name>sentry.service.security.mode</name>
    <value>none</value>
</property>
<property>
    <name>sentry.hive.provider.backend</name>
    <value>org.apache.sentry.provider.db.SimpleDBProviderBackend</value>
</property>
<property>
    <name>sentry.service.client.server.rpc-address</name>
    <value>Sentry_HOSTNAME</value>
</property>
<property>
    <name>sentry.service.client.server.rpc-port</name>
    <value>8038</value>
</property>
<property>
    <name>sentry.service.client.server.rpc-connection-timeout</name>
    <value>200000</value>
</property>
<property>
    <name>hive.sentry.provider</name>
    <value>org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider</value>
</property>
<property>
    <name>hive.sentry.failure.hooks</name>
    <value>com.cloudera.navigator.audit.hive.HiveSentryOnFailureHook</value>
</property>
<property>
    <name>sentry.hive.testing.mode</name>
     <value>true</value>
</property>

    2.2 Hive Metastore集成Sentry

    在 /etc/hive/conf/hive-site.xml中添加:

    <property>
<name>hive.metastore.filter.hook</name>
<value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value>
</property>

<property>  
    <name>hive.metastore.pre.event.listeners</name>  
    <value>org.apache.sentry.binding.metastore.MetastoreAuthzBinding</value>  
    <description>list of comma separated listeners for metastore events.</description>
</property>

<property>
    <name>hive.metastore.event.listeners</name>  
    <value>org.apache.sentry.binding.metastore.SentryMetastorePostEventListener</value>  
    <description>list of comma separated listeners for metastore, post events.</description>
</property>

    2.3重启hive

    先将sentry相关的jar包拷到hive的home目录下的lib目录下:

    cp /usr/lib/sentry/lib/sentry-*.jar /usr/lib/hive/lib/
cp /usr/lib/sentry/lib/shiro-*.jar /usr/lib/hive/lib/
/etc/init.d/hive-server2 restart

    3、测试

    使用hive用户连接beeline:

    beeline> !connect jdbc:hive2://10.205.58.36:10000
scan complete in 3ms
Connecting to jdbc:hive2://10.205.58.36:10000
Enter username for jdbc:hive2://10.205.58.36:10000: hive
Enter password for jdbc:hive2://10.205.58.36:10000:

    查看数据库:

    0: jdbc:hive2://10.205.58.36:10000> show databases;
+----------------+--+
| database_name  |
+----------------+--+
| app            |
| default        |
| hbase          |
| tmp            |
| web            |
+----------------+--+

    现在以一个简单的需求来做一个权限分配示例:
    hive属于admin role,对所有数据库有all权限;
    etl属于etl role,对app,web库有select权限;
    analyst属于analyst role,对hhbase库有select权限;

    首先在系统中创建etl、analyst用户和组,hive已默认存在:

    useradd etl
useradd analyst

    hive连接beeline创建role并赋权:

     jdbc:hive2://10.205.58.36:10000> CREATE ROLE admin;
 jdbc:hive2://10.205.58.36:10000> GRANT ROLE admin TO GROUP hive;
 jdbc:hive2://10.205.58.36:10000> GRANT ALL ON server SentryHostname to role admin;
 jdbc:hive2://10.205.58.36:10000> 
 jdbc:hive2://10.205.58.36:10000> CREATE ROLE etl; 
 jdbc:hive2://10.205.58.36:10000> GRANT ROLE etl TO GROUP etl;
 jdbc:hive2://10.205.58.36:10000>GRANT SELECT ON DATABASE app TO ROLE etl;GRANT SELECT ON DATABASE web TO ROLE etl;
......

    hive属于admin角色,具有管理员权限,可以查看所有角色:

    0: jdbc:hive2://10.205.58.36:10000> show roles;
+----------+--+
|   role   |
+----------+--+
| etl      |
| analyst  |
| admin    |
+----------+--+

    查看所有权限:

    0: jdbc:hive2://10.205.58.36:10000> SHOW GRANT ROLE admin;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *         |        |            |         | admin           | ROLE            | *          | false         | 1493962544757000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+

    以etl用户连接beeline:

    beeline> !connect jdbc:hive2://10.205.58.36:10000
scan complete in 2ms
Connecting to jdbc:hive2://10.205.58.36:10000
Enter username for jdbc:hive2://10.205.58.36:10000: etl
Enter password for jdbc:hive2://10.205.58.36:10000:

    etl用户只能看到default、app、web库:

    0: jdbc:hive2://10.205.58.36:10000> show databases;
+----------------+--+
| database_name  |
+----------------+--+
| app            |
| default        |
| web            |
+----------------+--+

    etl属于普通角色,不能看到所有角色,可以查看当前的角色。

    0: jdbc:hive2://10.205.58.36:10000> show roles;
ERROR : Error processing Sentry command: Access denied to etl.Please grant admin privilege to etl.
ERROR : FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: Access denied to etl
INFO  : Completed executing command(queryId=hive_20170505180707_737ce3c6-aade-4785-98a7-b66dda4f982f); Time taken: 0.009 seconds
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: Access denied to etl (state=08S01,code=1)


0: jdbc:hive2://10.205.58.36:10000> show current roles;
+-------+--+
| role  |
+-------+--+
| etl   |
+-------+--+

    查看其所有的权限:

    0: jdbc:hive2://10.205.58.36:10000> SHOW GRANT ROLE etl;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| app       |        |            |         | etl             | ROLE            | select     | false         | 1493965736909000  | --       |
| web       |        |            |         | etl             | ROLE            | select     | false         | 1493965737148000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
    ----------------------------我也是有底线的-----------------------------
  • 相关阅读:
    asp.net连接数据库,在web.config中配置数据库连接
    在处理向该请求提供服务所需的配置文件时出错。请检查下面的特定错误详细信息并适当地修改配置文件如何解决
    centos7查看CPU的利用率
    阿里云云盘在线扩容
    微信和支付宝付款码条码规则(官方)
    微信和支付宝付款码条码规则
    IPFS与般若文海
    Moira果老星宗七政四余排盘软件下载
    Odoo 电子公章/印章模块
    playtoearn
  • 原文地址:https://www.cnblogs.com/bugsbunny/p/6823473.html
Copyright © 2011-2022 走看看