碼上快樂

相關內容    簡體    繁體

hive集成sentry

本文轉載自   查看原文   2017-05-08 09:44   1244    hive/ - Hadoop/ sentry

1、安裝配置sentry

詳細步驟見上一篇安裝配置sentry

2、配置hive

2.1 Hive-server2集成Sentry

在 /etc/hive/conf/hive-site.xml中添加:

<property>
   <name>hive.security.authorization.task.factory</name>
   <value>org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl</value>
</property>
<property>
   <name>hive.server2.session.hook</name>
   <value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value>
</property>
<property>
   <name>hive.sentry.conf.url</name>
   <value>file:///etc/hive/conf/sentry-site.xml</value>
</property>

在/etc/hive/conf目錄下創建sentry.xml文件,並添加:

<property>
    <name>hive.sentry.server</name>
    <value>Sentry_HOSTNAME</value>
</property>
<property>
    <name>sentry.service.security.mode</name>
    <value>none</value>
</property>
<property>
    <name>sentry.hive.provider.backend</name>
    <value>org.apache.sentry.provider.db.SimpleDBProviderBackend</value>
</property>
<property>
    <name>sentry.service.client.server.rpc-address</name>
    <value>Sentry_HOSTNAME</value>
</property>
<property>
    <name>sentry.service.client.server.rpc-port</name>
    <value>8038</value>
</property>
<property>
    <name>sentry.service.client.server.rpc-connection-timeout</name>
    <value>200000</value>
</property>
<property>
    <name>hive.sentry.provider</name>
    <value>org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider</value>
</property>
<property>
    <name>hive.sentry.failure.hooks</name>
    <value>com.cloudera.navigator.audit.hive.HiveSentryOnFailureHook</value>
</property>
<property>
    <name>sentry.hive.testing.mode</name>
     <value>true</value>
</property>

2.2 Hive Metastore集成Sentry

在 /etc/hive/conf/hive-site.xml中添加:

<property>
<name>hive.metastore.filter.hook</name>
<value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value>
</property>

<property>  
    <name>hive.metastore.pre.event.listeners</name>  
    <value>org.apache.sentry.binding.metastore.MetastoreAuthzBinding</value>  
    <description>list of comma separated listeners for metastore events.</description>
</property>

<property>
    <name>hive.metastore.event.listeners</name>  
    <value>org.apache.sentry.binding.metastore.SentryMetastorePostEventListener</value>  
    <description>list of comma separated listeners for metastore, post events.</description>
</property>

2.3重啟hive

先將sentry相關的jar包拷到hive的home目錄下的lib目錄下:

cp /usr/lib/sentry/lib/sentry-*.jar /usr/lib/hive/lib/
cp /usr/lib/sentry/lib/shiro-*.jar /usr/lib/hive/lib/
/etc/init.d/hive-server2 restart

3、測試

使用hive用戶連接beeline:

beeline> !connect jdbc:hive2://10.205.58.36:10000
scan complete in 3ms
Connecting to jdbc:hive2://10.205.58.36:10000
Enter username for jdbc:hive2://10.205.58.36:10000: hive
Enter password for jdbc:hive2://10.205.58.36:10000:

查看數據庫:

0: jdbc:hive2://10.205.58.36:10000> show databases;
+----------------+--+
| database_name  |
+----------------+--+
| app            |
| default        |
| hbase          |
| tmp            |
| web            |
+----------------+--+

現在以一個簡單的需求來做一個權限分配示例:
hive屬於admin role,對所有數據庫有all權限;
etl屬於etl role,對app,web庫有select權限;
analyst屬於analyst role,對hhbase庫有select權限;

首先在系統中創建etl、analyst用戶和組,hive已默認存在:

useradd etl
useradd analyst

hive連接beeline創建role並賦權:

 jdbc:hive2://10.205.58.36:10000> CREATE ROLE admin;
 jdbc:hive2://10.205.58.36:10000> GRANT ROLE admin TO GROUP hive;
 jdbc:hive2://10.205.58.36:10000> GRANT ALL ON server SentryHostname to role admin;
 jdbc:hive2://10.205.58.36:10000> 
 jdbc:hive2://10.205.58.36:10000> CREATE ROLE etl; 
 jdbc:hive2://10.205.58.36:10000> GRANT ROLE etl TO GROUP etl;
 jdbc:hive2://10.205.58.36:10000>GRANT SELECT ON DATABASE app TO ROLE etl;GRANT SELECT ON DATABASE web TO ROLE etl;
......

hive屬於admin角色,具有管理員權限,可以查看所有角色:

0: jdbc:hive2://10.205.58.36:10000> show roles;
+----------+--+
|   role   |
+----------+--+
| etl      |
| analyst  |
| admin    |
+----------+--+

查看所有權限:

0: jdbc:hive2://10.205.58.36:10000> SHOW GRANT ROLE admin;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *         |        |            |         | admin           | ROLE            | *          | false         | 1493962544757000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+

以etl用戶連接beeline:

beeline> !connect jdbc:hive2://10.205.58.36:10000
scan complete in 2ms
Connecting to jdbc:hive2://10.205.58.36:10000
Enter username for jdbc:hive2://10.205.58.36:10000: etl
Enter password for jdbc:hive2://10.205.58.36:10000:

etl用戶只能看到default、app、web庫:

0: jdbc:hive2://10.205.58.36:10000> show databases;
+----------------+--+
| database_name  |
+----------------+--+
| app            |
| default        |
| web            |
+----------------+--+

etl屬於普通角色,不能看到所有角色,可以查看當前的角色。

0: jdbc:hive2://10.205.58.36:10000> show roles;
ERROR : Error processing Sentry command: Access denied to etl.Please grant admin privilege to etl.
ERROR : FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: Access denied to etl
INFO  : Completed executing command(queryId=hive_20170505180707_737ce3c6-aade-4785-98a7-b66dda4f982f); Time taken: 0.009 seconds
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: Access denied to etl (state=08S01,code=1)


0: jdbc:hive2://10.205.58.36:10000> show current roles;
+-------+--+
| role  |
+-------+--+
| etl   |
+-------+--+

查看其所有的權限:

0: jdbc:hive2://10.205.58.36:10000> SHOW GRANT ROLE etl;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| app       |        |            |         | etl             | ROLE            | select     | false         | 1493965736909000  | --       |
| web       |        |            |         | etl             | ROLE            | select     | false         | 1493965737148000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 SpringBoot集成Sentry hive記錄-cdh配置hive和sentry hue 集成hive hive集成kerberos Hue集成Hadoop和Hive Hive安裝與部署集成mysql sentry之一:sentry安裝 高可用Hadoop平台-集成Hive HAProxy presto集成kerberos以及訪問集成了kerberos的hive集群 sentry的安裝
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM