一、實踐心得
主要參考這個連接,里面說得也挺詳細的。http://www.aboutyun.com/thread-12549-1-1.html
總結如下:
1、若賦予用戶某個表的權限,查用戶在該表所屬數據庫的權限,是查詢不出來的,要指定到那張表
2、若要賦予用戶db1數據庫下的t1表權限,首先要在執行 use db1;
3、編寫鈎子函數時,經過我自己的測試,這邊是hive0.13版本,感覺非超級管理員的grant、revoke控制不了,而create role r_name是可以控制,證明該控制類是起作用的,不知道是HiveParser.TOK_XXXX有遺漏還是其他問題,或者可以直接用ast.getToken().getText()與"TOK_CREATEROLE"字符匹配,這樣是沒問題。
4、以上的hive權限控制,只適合於hive cli控制權限,若用jdbc、thrift接口或hue查詢頁面是不能起到權限控制的,所以不是完全安全的,只是用來防止用戶不小心做了不適合的事情,而不是防止壞人干壞事的。
5、倘若想更好更安全控制hive權限,可以使用Kerberos認證,聽說Kerberos很強大,並且可以管理hdfs與hbase等。
簡單歸納如下,方便以后查詢,主要分兩步,第一,修改配置文件;第二,熟悉授權語法。
二、修改配置文件
1、修改hive-site.xml
- <!--參數調優-->
- <property>
- <name>hive.exec.parallel</name>
- <value>true</value>
- <description>Whether to execute jobs in parallel</description>
- </property>
- <property>
- <name>hive.exec.parallel.thread.number</name>
- <value>16</value>
- <description>How many jobs at most can be executed in parallel</description>
- </property>
- <!-- 權限配置-->
- <!-- 開啟hive cli的控制權限 -->
- <property>
- <name>hive.security.authorization.enabled</name>
- <value>true</value>
- <description>enable or disable the hive clientauthorization</description>
- </property>
- <!-- 定義表創建者的權限 -->
- <property>
- <name>hive.security.authorization.createtable.owner.grants</name>
- <value>ALL</value>
- <description>
- the privileges automatically granted to the owner whenever a table gets created.
- </description>
- </property>
- <!-- 在做類似drop partition操作時,metastore是否要認證權限,默認是false -->
- <property>
- <name>hive.metastore.authorization.storage.checks</name>
- <value>true</value>
- <description>
- Should the metastore do authorization checks against
- the underlying storage for operations like drop-partition (disallow
- the drop-partition if the user in question doesn't have permissions
- to delete the corresponding directory on the storage).
- </description>
- </property>
- <!-- 非安全模式,設置為true會令metastore以客戶端的用戶和組權限執行DFS操作,默認是false,這個屬性需要服務端和客戶端同時設置 -->
- <property>
- <name>hive.metastore.execute.setugi</name>
- <value>false</value>
- <description>
- In unsecure mode, setting this property to true will cause the metastore to execute DFS operations using the client's reported user
- and group permissions. Note that this property must be set on both the client
- and server sides. Further note that its best effort. If client sets its to true and server sets it to false, client setting will be ignored.
- </description>
- </property>
- <!-- 配置超級管理員,需要自定義控制類繼承這個AbstractSemanticAnalyzerHook-->
- <property>
- <name>hive.semantic.analyzer.hook</name>
- <value>com.kent.test.AuthorityHook</value>
- </property>
- <!-- 假如出現以下錯誤:
- Error while compiling statement: FAILED: SemanticException The current builtin authorization in Hive is incomplete and disabled.
- 需要配置下面的屬性 -->
- <property>
- <name>hive.security.authorization.task.factory</name>
- <value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
- </property>
2、自定義控制類(繼承AbstractSemanticAnalyzerHook)
- package com.kent.test;
- import org.apache.hadoop.hive.ql.parse.ASTNode;
- import org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook;
- import org.apache.hadoop.hive.ql.parse.HiveParser;
- import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext;
- import org.apache.hadoop.hive.ql.parse.SemanticException;
- import org.apache.hadoop.hive.ql.session.SessionState;
- public class AuthorityHook extends AbstractSemanticAnalyzerHook {
- private static String[] admin = {"admin", "root"};
- @Override
- public ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context,ASTNode ast) throws SemanticException {
- switch (ast.getToken().getType()) {
- case HiveParser.TOK_CREATEDATABASE:
- case HiveParser.TOK_DROPDATABASE:
- case HiveParser.TOK_CREATEROLE:
- case HiveParser.TOK_DROPROLE:
- case HiveParser.TOK_GRANT:
- case HiveParser.TOK_REVOKE:
- case HiveParser.TOK_GRANT_ROLE:
- case HiveParser.TOK_REVOKE_ROLE:
- String userName = null;
- if (SessionState.get() != null&&SessionState.get().getAuthenticator() != null){
- userName=SessionState.get().getAuthenticator().getUserName();
- }
- if (!admin[0].equalsIgnoreCase(userName) && !admin[1].equalsIgnoreCase(userName)) {
- throw new SemanticException(userName + " can't use ADMIN options, except "
- + admin[0]+","+admin[1] +".");
- }
- break;
- default:
- break;
- }
- return ast;
- }
- public static void main(String[] args) throws SemanticException {
- String[] admin = {"admin", "root"};
- String userName = "root";
- for(String tmp: admin){
- System.out.println(tmp);
- if (!tmp.equalsIgnoreCase(userName)) {
- throw new SemanticException(userName + " can't use ADMIN options, except "
- + admin[0]+","+admin[1] +".");
- }
- }
- }
- }
三、權限控制語法
1、角色權限控制
- --創建和刪除角色
- create role role_name;
- drop role role_name;
- --展示所有roles
- show roles
- --賦予角色權限
- grant select on database db_name to role role_name;
- grant select on [table] t_name to role role_name;
- --查看角色權限
- show grant role role_name on database db_name;
- show grant role role_name on [table] t_name;
- --角色賦予用戶
- grant role role_name to user user_name
- --回收角色權限
- revoke select on database db_name from role role_name;
- revoke select on [table] t_name from role role_name;
- --查看某個用戶所有角色
- show role grant user user_name;
2、用戶角色控制
1)權限控制表
- 操作(opera) 解釋
- ALL 所有權限
- ALTER 允許修改元數據(modify metadata data of object)---表信息數據
- UPDATE 允許修改物理數據(modify physical data of object)---實際數據
- CREATE 允許進行Create操作
- DROP 允許進行DROP操作
- INDEX 允許建索引(目前還沒有實現)
- LOCK 當出現並發的使用允許用戶進行LOCK和UNLOCK操作
- SELECT 允許用戶進行SELECT操作
- SHOW_DATABASE 允許用戶查看可用的數據庫
2)語法
- --賦予用戶權限
- grant opera on database db_name to user user_name;
- grant opera on [table] t_name to user user_name;
- --回收用戶權限
- revoke opera on database db_name from user user_name;
- --查看用戶權限
- show grant user user_name on database db_name;
- show grant user user_name on [table] t_name;