指令類型:
創建、刪除角色:
CREATE ROLE sentry_all;
droop role admin_role;
角色授權/撤銷權限:
數據庫級別角色授權
GRANT ALL ON DATABASE default TO ROLE bd;
表級別角色授權
GRANT SELECT ON table sentry_test TO ROLE sentry_insert;
字段級別授權
GRANT select(columnName) ON table sentry_test TO ROLE sentry_insert;
Sentry的權限(privilege),常見就是兩種,一種是select,一種是all;盡管有一種insert,但是如果僅僅是單獨賦權限insert仍然無法成功賦寫權限;
用戶授權
GRANT ROLE sentry_all TO GROUP hive;
REVOKE ROLE sentry_all FROM GROUP bd;
注意,這個group一定是linux用戶組(不需要是hdfs用戶);
展示類指令
展示角色的權限:
show grant role write;
展示綁定到用戶的角色:
SHOW ROLE GRANT GROUP bd;
腳手架
sentry默認管理員是hive
具有最大的權限;創建角色、授權等都要在這個角色下;
如果想要增加管理員在sentry的sentry.service.admin.group配置項中增加;
采用beeline方式登錄hive:
beeline -u"jdbc:hive2://slave1:10000" -n solr
-u代表url,-n代表name,用戶之意;不需要密碼,只要指定用戶即可(上面介紹了,這個用戶必須要當前機器linux用戶組;估計是要做本地用戶(權限)映射;
或者:
>beeline(回車)
>!connect jdbc:hive2://localhost:10000/ solr(回車)
(然后會要求輸入密碼,不用管,直接回車跳過即可)
hive插入數據:
insert into sentry_test values('i','j');
碰到的異常
1. 啟動服務建表失敗
Query for candidates of org.apache.sentry.provider.db.service.model.MSentryVersion and subclasses resulted in no possible candidates Required table missing : "`SENTRY_VERSION`" in Catalog "" Schema "". DataNucleus requires this table to perform its persistence operations. Either your MetaData is incorrect, or you need to enable "datanucleus.autoCreateTables" org.datanucleus.store.rdbms.exceptions.MissingTableException: Required table missing : "`SENTRY_VERSION`" in Catalog "" Schema "". DataNucleus requires this table to perform its persistence operations. Either your MetaData is incorrect, or you need to enable "datanucleus.autoCreateTables"
需要在hive中配置datanucleus.autoCreateSchema設置為true;重啟YARN服務后好了;
2. hive認證失敗
hive.server2.authentication can't be none in non-testing mode
在CDH的Hive的Config中搜索“sentry-site“,添加
name:sentry.hive.testing.mode
value:true
即可;
測試:!connect jdbc:hive2://localhost:10000/ user
show roles;
將會看到異常:
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: Access denied to root (state=08S01,code=1)
切換到!connect jdbc:hive2://localhost:10000/ hive hive,再執行show roles即可;這是因為hive用戶是在sentry的管理用戶組中。
3. hue里面有一點比較混淆,就是你如果設置完權限后,並不能馬上再頁面中顯示出來,如果刷新仍然無法獲得新的權限下面的內容,就點擊一下左側區域的刷新按鈕;就會體現出來當前權限。
4. impala權限問題
java.sql.SQLException: [Simba][ImpalaJDBCDriver](500051) ERROR processing query/statement. Error Code: 0, SQL state: TStatus(statusCode:ERROR_STATUS, sqlState:HY000,errorMessage:AuthorizationException: User '' does not have privileges to execute 'SELECT' on: default.test), Query: select * from test limit 100000. Query: select * from test limit 100000 Parameters: []
Impala采用Sentry之后,impala爆此異常,后來取消sentry授權,問題解決。
Sentry的架構綜述
Sentry的配置說明