- 1開啟hive權限管理配置
<property>
<name>hive.metastore.authorization.storage.checks</name>
<value>true</value>
</property>
<property>
<name>hive.metastore.execute.setugi</name>
<value>false</value>
</property>
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
</property>
<property>
<name>hive.security.authorization.createtable.user.grants</name>
<value>etl:ALL;hive:ALL</value>
</property>
<property>
<name>hive.security.authorization.createtable.group.grants </name>
<value>etl:ALL;hive:ALL</value>
</property>
<property>
<name>hive.security.authorization.task.factory</name>
<value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
</property>
- 2授權語法
- --創建和刪除角色
- create role role_name;
- drop role role_name;
- --展示所有roles
- show roles
- --賦予角色權限
- grant select on database db_name to role role_name;
- grant select on [table] t_name to role role_name;
- --查看角色權限
- show grant role role_name on database db_name;
- show grant role role_name on [table] t_name;
- --角色賦予用戶
- grant role role_name to user user_name
- --回收角色權限
- revoke select on database db_name from role role_name;
- revoke select on [table] t_name from role role_name;
- --查看某個用戶所有角色
- show role grant user user_name;
- 操作(opera) 解釋
- ALL 所有權限
- ALTER 允許修改元數據(modify metadata data of object)---表信息數據
- UPDATE 允許修改物理數據(modify physical data of object)---實際數據
- CREATE 允許進行Create操作
- DROP 允許進行DROP操作
- INDEX 允許建索引(目前還沒有實現)
- LOCK 當出現並發的使用允許用戶進行LOCK和UNLOCK操作
- SELECT 允許用戶進行SELECT操作
- SHOW_DATABASE 允許用戶查看可用的數據庫
- 3.hive開啟權限后可能會有異常
cloudera manager 有一個對Hive的健康檢查叫 hive Metastore Canary Health Test
引用資料:
There is a known bug with the hive canary that may cause it to fail constantly - the client-configs we are using to connect to the hive metastore are partial. This may be the root cause of this failure. Do you have security enabled on the cluster? Did you change the Hadoop.rpc.protection configuration option? A fix is going to be available very soon with the next release of cloudera manager (5.1,5.2,5.3) and hopefully it will solve the problem. In the meantime you can disable the hive metastore canary.
禁用 hive metastore canary.
CM GUI --> Hive --> Configuration --> search for"metastore_canary_health_enabled" and uncheck(disabled). Save the setting and restart Hue,Oozie and Hive.
4.hive超級管理員權限管理
Hive中沒有超級管理員,任何用戶都可以進行Grant/Revoke操作,為了完善“超級管理員”,必須添加hive.semantic.analyzer.hook配置,並實現自己的權限控制類。
<property>
<name>hive.semantic.analyzer.hook</name>
<value>com.hive.HiveAdmin</value></property>
實現自定義類com.hive.HiveAdmin
package com.hive;
import java.io.Serializable;
import java.util.List;
import org.apache.hadoop.hive.ql.parse.ASTNode;
import org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook;
import org.apache.hadoop.hive.ql.parse.HiveParser;
import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.session.SessionState;
public class HiveAdmin extends AbstractSemanticAnalyzerHook {
private static String admin = "admin";
@Override
public ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context, ASTNode ast) throws SemanticException {
switch (ast.getToken().getType()) {
case HiveParser.TOK_CREATEDATABASE:
case HiveParser.TOK_DROPDATABASE:
case HiveParser.TOK_CREATEROLE:
case HiveParser.TOK_DROPROLE:
case HiveParser.TOK_GRANT:
case HiveParser.TOK_REVOKE:
case HiveParser.TOK_GRANT_ROLE:
case HiveParser.TOK_REVOKE_ROLE:
String userName = null;
if (SessionState.get() != null && SessionState.get().getAuthenticator() != null) {
userName = SessionState.get().getAuthenticator().getUserName();
}
if (!admin.equalsIgnoreCase(userName)) {
throw new SemanticException(userName + " can't use ADMIN options, except " + admin + ".");
}
break;
default:
break;
}
return ast;
}
}