hive_server2的權限控制

本文轉載自查看原文 2019-09-20 15:30 1091 CDH的權限控制

CDH的core-sit開啟: 第一個false表示用系統用戶來和hive用戶的權限綁定,但經測試並沒有生效,所以可以改為true

第二項設置成ALL，表示創建者對其創建的表擁有所有的權限，這樣也是
比較合理的。可以不用默認，自定義權限
<property>
<name>
hive.security.authorization.createtable.owner.grants
</name>
<value>select,drop</value>
</property>

beeline的授權命令:

語法: https://www.cloudera.com/documentation/enterprise/6/6.2/topics/sg_hive_sql.html

建立簡單的測試例子
create database db_test1;
create table users(id int);
insert into table users values(2);
drop table users;

create external table employee (
name string,
city array<string>,
sex_age struct<sex:string,age:string>,
score map<string,int>
)
row format delimited
fields terminated by '|' #字段之間用|號隔開
collection items terminated by ',' #數組內部用逗號隔開
map keys terminated by ':'; #map的k-v用冒號隔開

授權命令:

登陸一台有hive server2的節點

beeline
!connect jdbc:hive2://localhost:10000
hive hive
dev1 dev1
dev2 dev2

beeline -u "jdbc:hive2://localhost:10000/default"

create role admin;
grant all on server server1 to role admin; #如果授權給其它角色,那么擁有此角色的用戶將擁有所有庫權限
grant role admin to group hive;

例子:
#建立一個表的select和insert的不同角色,並賦予給dev1,dev2
create role read;
grant select on table test to role read; grant select on table db_test1.users1 to role read;
create role write;
grant insert on table test to role write; grant insert on table db_test1.users1 to role write;
grant role read to group dev1;
grant role write to group dev2;

#建一個庫的所有權限和只能查看權限,並賦予不同用戶
create role db_test2_all;
grant all on database db_test2 to role db_test2_all;
grant role db_test2_all to group dev2;

create role db_test2_select;
grant select on database db_test2 to role db_test2_select;
grant role db_test2_select to group dev1;

#查看:

SHOW GRANT ROLE write;
SHOW ROLES;
SHOW CURRENT ROLES;
SHOW ROLE GRANT GROUP groupname; #查看用戶擁有的權限,group名是和beeline用戶名對上,beeline用戶名和入口機的系統用戶名對上.
SHOW GRANT USER <user name>; #查看用戶可以授權的object

SHOW GRANT USER <user name>; #查看用戶可以授權的object
show create table test_snappy_01; #查建表語句
desc test_snappy_01; #查表結構
desc formatted test_snappy_01; #查owner是誰

DROP ROLE <role name>;
REVOKE ROLE <role name> [, <role name>]
FROM GROUP <group name> [,GROUP <group name>]

GRANT
<privilege> [, <privilege> ]
ON <object type> <object name>
TO ROLE <role name> [,ROLE <role name>]
回收權限:
REVOKE ROLE <role name> [, <role name>]
FROM GROUP <group name> [,GROUP <group name>]
例子:
REVOKE ROLE write FROM group dev2;
回收role中的權限:
REVOKE SELECT ON DATABASE coffee_database FROM ROLE write;

例子:
1/ 當把所有權限賦予了一個角色,需要收回.
grant all on server server1 to role write;
drop role write;
然后重新再授權role.

2/ 改動權限:
dev1原來對db_test1的users1只讀,改為可寫可讀
dev2原來對db_test1的users1可寫,改為只讀

create role read_write_1;
grant select,insert on table db_test1.users1 to role read_write_1;
REVOKE ROLE read FROM group dev1;
grant role read_write_1 to group dev1;

REVOKE ROLE write FROM group dev2;
grant role read to group dev2;

alter的授權:

alter權限不包括在all里,需單獨授權
https://docs.cloudera.com/documentation/enterprise/6/6.2/topics/sentry_object_ownership.html

無 -默認。在Sentry中禁用對象所有權。新主人的特權不能分配和創建對象並沒有得到所有者權限的用戶。但是，選擇此選項不會影響現有的OWNER特權。
具有GRANT的ALL特權 -對象所有者對對象擁有ALL特權，並且可以在對象上轉移OWNER特權，還可以授予和撤消對對象的其他特權。OWNER特權被授予創建對象的用戶或使用ALTER DATABASE SET OWNER或ALTER TABLE SET OWNER操作的用戶。
ALL特權 -對象所有者對對象擁有ALL特權，但不能將所有者特權轉移給另一個用戶或角色。OWNER特權被授予創建對象的用戶或使用ALTER DATABASE SET OWNER或ALTER TABLE SET OWNER操作的用戶。

測試:
CREATE DATABASE test1_db;
SHOW CREATE DATABASE test1_db;
#前提是要db的創建者是db的owner,只有owner能給角色和用戶alter的權限
alter database test1_db set owner role test_alter; #把某個庫的alter權限賦給某個角色
alter database test1_db set owner user `mingze.yang`; #把某個庫的alter權限賦給某個用戶

#建好的庫,查看owner要在hive的元數據庫中查:

#查庫的owner,在hdfs上的位置
SELECT * FROM DBS where name='test1_db';

#查庫的owner
SELECT name as db_name,
DB_ID, owner_name
FROM DBS where name='test1_db';

SELECT
b1.db_name,
t1.TBL_NAME,
c1.COLUMN_NAME,
c1.TYPE_NAME,
c1.COMMENT,
s1.LOCATION,
from_unixtime(t1.CREATE_TIME,'%Y-%m-%d %H:%i:%S') AS CREATE_TIME
FROM
(SELECT TBL_ID,
CREATE_TIME,
OWNER,
TBL_NAME,
TBL_TYPE,
DB_ID,
SD_ID
FROM TBLS) t1
JOIN
(SELECT name as db_name,
DB_ID
FROM DBS) b1 ON t1.DB_ID=b1.DB_ID
JOIN
(SELECT CD_ID,
COMMENT,
COLUMN_NAME,
TYPE_NAME
FROM COLUMNS_V2) c1
JOIN
(SELECT CD_ID,
LOCATION,
SD_ID
FROM SDS) s1 ON c1.CD_ID=s1.CD_ID
AND t1.SD_ID=s1.SD_ID
where t1.TBL_NAME='dim_oride_city'
and b1.db_name in ('oride_dw')

同事問題解決的例子：

SHOW ROLE GRANT GROUP dev1;
REVOKE ROLE read_write_1 FROM group dev1;

SHOW ROLES;
drop role table_insert;

create role db_test1_insert_table_users_only;
grant insert on table db_test1.users to role db_test1_insert_table_users_only;
grant role db_test1_insert_table_users_only to group dev3;

1、沒有drop 權限，但是可以執行drop 操作
0: jdbc:hive2://localhost:10000> drop database db_test1;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User dev1 does not have privileges for DROPDATABASE
The required privileges: Server=server1->Db=db_test1->action=drop->grantOption=false; (state=42000,code=40000)
2、沒有select 權限，但是可以查詢
3、有 insert 但是無法插入

beeline:
1、dev3 沒有訪問db_test1庫和表的權限，但是可以訪問
show create table test_snappy_01; #查建表語句
desc test_snappy_01; #查表結構
desc formatted test_snappy_01; #查owner是誰
2、對指定表賦權后，庫里的所有表全部出現
grant select on table db_test5.test_snappy_01 to role db_test5_select;
grant role db_test5_select to group dev2;

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 Hive之權限控制 SQL Server 權限控制 Hive 基本語法操練（六）：Hive 的權限控制 SQL Server 關於列的權限控制 Hive權限控制和超級管理員的實現 SQL Server 2016 行級別權限控制開放計算平台——數據倉庫（Hive）權限控制在hue當中設置hive當中數據庫的控制權限。 SQL Server新增用戶並控制訪問權限設置。 Sql Server來龍去脈系列必須知道的權限控制基礎篇