指令类型:
创建、删除角色:
CREATE ROLE sentry_all;
droop role admin_role;
角色授权/撤销权限:
数据库级别角色授权
GRANT ALL ON DATABASE default TO ROLE bd;
表级别角色授权
GRANT SELECT ON table sentry_test TO ROLE sentry_insert;
字段级别授权
GRANT select(columnName) ON table sentry_test TO ROLE sentry_insert;
Sentry的权限(privilege),常见就是两种,一种是select,一种是all;尽管有一种insert,但是如果仅仅是单独赋权限insert仍然无法成功赋写权限;
用户授权
GRANT ROLE sentry_all TO GROUP hive;
REVOKE ROLE sentry_all FROM GROUP bd;
注意,这个group一定是linux用户组(不需要是hdfs用户);
展示类指令
展示角色的权限:
show grant role write;
展示绑定到用户的角色:
SHOW ROLE GRANT GROUP bd;
脚手架
sentry默认管理员是hive
具有最大的权限;创建角色、授权等都要在这个角色下;
如果想要增加管理员在sentry的sentry.service.admin.group配置项中增加;
采用beeline方式登录hive:
beeline -u"jdbc:hive2://slave1:10000" -n solr
-u代表url,-n代表name,用户之意;不需要密码,只要指定用户即可(上面介绍了,这个用户必须要当前机器linux用户组;估计是要做本地用户(权限)映射;
或者:
>beeline(回车)
>!connect jdbc:hive2://localhost:10000/ solr(回车)
(然后会要求输入密码,不用管,直接回车跳过即可)
hive插入数据:
insert into sentry_test values('i','j');
碰到的异常
1. 启动服务建表失败
Query for candidates of org.apache.sentry.provider.db.service.model.MSentryVersion and subclasses resulted in no possible candidates Required table missing : "`SENTRY_VERSION`" in Catalog "" Schema "". DataNucleus requires this table to perform its persistence operations. Either your MetaData is incorrect, or you need to enable "datanucleus.autoCreateTables" org.datanucleus.store.rdbms.exceptions.MissingTableException: Required table missing : "`SENTRY_VERSION`" in Catalog "" Schema "". DataNucleus requires this table to perform its persistence operations. Either your MetaData is incorrect, or you need to enable "datanucleus.autoCreateTables"
需要在hive中配置datanucleus.autoCreateSchema设置为true;重启YARN服务后好了;
2. hive认证失败
hive.server2.authentication can't be none in non-testing mode
在CDH的Hive的Config中搜索“sentry-site“,添加
name:sentry.hive.testing.mode
value:true
即可;
测试:!connect jdbc:hive2://localhost:10000/ user
show roles;
将会看到异常:
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: Access denied to root (state=08S01,code=1)
切换到!connect jdbc:hive2://localhost:10000/ hive hive,再执行show roles即可;这是因为hive用户是在sentry的管理用户组中。
3. hue里面有一点比较混淆,就是你如果设置完权限后,并不能马上再页面中显示出来,如果刷新仍然无法获得新的权限下面的内容,就点击一下左侧区域的刷新按钮;就会体现出来当前权限。
4. impala权限问题
java.sql.SQLException: [Simba][ImpalaJDBCDriver](500051) ERROR processing query/statement. Error Code: 0, SQL state: TStatus(statusCode:ERROR_STATUS, sqlState:HY000,errorMessage:AuthorizationException: User '' does not have privileges to execute 'SELECT' on: default.test), Query: select * from test limit 100000. Query: select * from test limit 100000 Parameters: []
Impala采用Sentry之后,impala爆此异常,后来取消sentry授权,问题解决。
Sentry的架构综述
Sentry的配置说明