開啟sentry權限控制hue

 參考:

cloudera官方授權：包括webui, ldap,sentry

https://www.cloudera.com/documentation/enterprise/6/6.2/topics/sg_sentry_overview.html

啟用sentry

https://cloud.tencent.com/developer/article/1077868

hue中授權:

https://blog.csdn.net/lvtula/article/details/89840097

尹導的:

https://www.cnblogs.com/yinzhengjie/articles/10495217.html

 

建立數據庫:

CREATE DATABASE sentry DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
GRANT ALL ON sentry.* TO 'sentry'@'%' IDENTIFIED BY 'Fengfeng99~';
GRANT ALL ON sentry.* TO 'sentry'@'localhost' IDENTIFIED BY 'Fengfeng99~';

FLUSH PRIVILEGES;

進入CM控制台添加服務:

 

 

選擇sentry服務

sentry server選數據庫所在的node,gateway每個節點都選

 

 

輸入數據庫密碼

完成

 

配置HDFS開啟ACLs與sentry權限同步:

 

 

配置hive使用sentry服務:

 

 

關閉hive的用戶模擬功能:

 

 

集群未啟用安全認證環境下，需要配置以下參數:

 

檢查下yarn的allowed.system.users" 有hive

 

 

 

impala配置使用sentry:

 

 

HUE配置使用sentry:

 

 

用beeline授權管理用戶hive:

https://www.cnblogs.com/hongfeng2019/p/11557524.html

create role admin;
grant all on server server1 to role admin; #如果授權給其它角色,那么擁有此角色的用戶將擁有所有庫權限
grant role admin to group hive;

 

用admin帳號登陸HUE建三個帳號:

 

 注意,要先創建組: 例如創建dev3

1/ 先創建dev3的組;

 

 

再創建用戶:

 

 選dev3的組:

 

 點添加用戶:

 

 

hue授權hive組為管理員,用hive登陸hue,選安全性

 

 

在瀏覽或roles中把server1的權限授給hive

 

 

注意: 開啟sentry后/user/hive/warehouse里面的庫表數據由sentry權限控制,需要賦予權限后用戶才能訪問, 如sqoop調用任務,啟用的是root,所以需要在beeline里給root賦庫的權限.

 

給用戶授URI的訪問權限:
https://docs.cloudera.com/documentation/enterprise/6/6.2/topics/impala_authorization.html#sentry_cm

授予URI特權
URI表示您指定為語句一部分的文件路徑，例如 創建外部表 和 加載數據。通常，您指定看起來像UNIX路徑的路徑，但是這些位置也可以加上前綴hdfs：//明確說明它們確實是URI。要為URI設置特權，請指定目錄的名稱，該特權適用於該目錄中的所有文件以及該目錄下的所有目錄。

URI必須以 hdfs//， s3a//  file:///
例如:
HDFS: hdfs://host:port/path/to/hdfs/table
S3: s3a://host:port/path/to/s3/table

本地:file:///opt/cloudera/parcels

高可用性（HA),則用cluster名:
hdfs://ha-nn-uri/path/to dir

例1: 數倉要運行自己開發的jar包,但發現沒有權限

需求是:

create temporary function isInArea_test as 'com.oride.udf.IsInArea' 
USING JAR 'hdfs://warehourse:8020/tmp/udf-1.0-SNAPSHOT-jar-with-dependencies.jar';

1/ 需要hdfs的權限運行jar包

//創建udf hdfs目錄role
create role role_udf_hdfs_path;
GRANT ALL ON URI 'hdfs://warehourse:8020/' TO ROLE role_udf_hdfs_path;

2/ udf需要用到本地ufile的jar包

//創建udf 本地目錄role
create role role_udf_local_path;
GRANT ALL ON URI 'file:///opt/cloudera/parcels/CDH-6.2.0-1.cdh6.2.0.p0.967373/lib/hive/auxlib/' TO ROLE role_udf_local_path;

例2 給用戶s3的訪問權限:
方法一: cdh的hdfs添加象/usr/hive/warehouse的前綴,但不支持s3,ufile
https://blog.csdn.net/wflh323/article/details/88891579
sentry
Sentry 同步路徑前綴 添加:
ufile://opay-datalake
s3a://opay-bi
https://www.iteye.com/blog/lookqlp-2191087

方法二: grant uri,賦予權限使用戶能訪問s3的數據,
ufile不支持這種.所以使用公共帳號,把airflow加到admin role.

beeline
!connect jdbc:hive2://localhost:10000
!connect jdbc:hive2://10.52.17.84:10000
mingze.yang

create role s3;
GRANT ALL ON URI 's3a://opay-bi' TO ROLE s3;
create role s3foropay;
GRANT ALL ON URI 's3a://opay-bi/opay' TO ROLE s3;

create role ufile;
GRANT ALL ON URI 'ufile://opay-datalake' TO ROLE ufile;
create role ufile1;
GRANT ALL ON URI 'ufile://opay-datalake/opay/opay' TO ROLE ufile1;

create role sqoop;
GRANT ALL ON URI 'hdfs://warehourse/user/hive/warehouse' TO ROLE sqoop;
grant role sqoop to group root;

create role sqoop2;
GRANT ALL ON URI 'hdfs://10.52.23.195:8020/user/hivewarehouse' TO ROLE sqoop2;
grant role sqoop1 to group root;

DROP ROLE <role name>;

grant role ufile to group `dong.xie`;
grant role ufile to group `mingze.yang`;
grant role ufile1 to group `mingze.yang`;
grant role s3 to group `mingze.yang`;

SHOW ROLE GRANT GROUP `dong.xie`;
SHOW ROLE GRANT GROUP `mingze.yang`;

create role read;
grant select on table test to role read; grant select on table db_test1.users1 to role read;
create role write;
grant insert on table test to role write; grant insert on table db_test1.users1 to role write;
grant role read to group dev1;
grant role write to group dev2;