CDH平台中的安全,認證(Kerberos/LDAP)是第一步,授權(Sentry)是第二步。如果要啟用授權,必須先啟用認證。但在CDH平台中給出了一種測試模式,即不啟用認證而只啟用Sentry授權。但強烈不建議在生產系統中這樣使用,因為如果沒有用戶認證,授權沒有任何意義形同虛設,用戶可以隨意使用任何超級用戶登錄HiveServer2或者Impala,並不會做密碼校驗。注:本文檔僅適用於測試環境。
本文檔主要描述如何在CDH未啟用認證的情況下安裝,配置及使用Sentry。
內容概述
1.如何安裝Sentry服務 2.Hive/Impala/Hue/HDFS服務如何與Sentry集成 3.Sentry測試
測試環境
1.操作系統為CentOS6.5 2.CM和CDH版本為5.11.1 3.采用root用戶操作
前置條件
1.CDH集群運行正常 2.集群未啟用認證服務(如Kerberos或LDAP)
2.Sentry安裝
1.在MySQL中創建sentry數據庫
建表語句:
create database sentry default character set utf8; CREATE USER 'sentry'@'%' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON sentry. * TO 'sentry'@'%'; FLUSH PRIVILEGES;
命令行操作:
[root@ip-172-31-6-148 527-hive-HIVEMETASTORE]# mysql -uroot -p Enter password: ... mysql> create database sentry default character set utf8; Query OK, 1 row affected (0.00 sec) mysql> CREATE USER 'sentry'@'%' IDENTIFIED BY 'password'; Query OK, 0 rows affected (0.00 sec) mysql> GRANT ALL PRIVILEGES ON sentry.* TO 'sentry'@'%'; Query OK, 0 rows affected (0.00 sec) mysql> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec) mysql>
2.進入Cloudera Manager控制台點擊“添加服務”
3.進入服務添加界面
4.選擇Sentry服務,點擊“繼續”
5.選擇Sentry Server及Gateway的安裝節點,點擊“繼續“,注意需提前在MySQL中建立好相關用戶和數據庫
6.輸入Sentry服務的數據庫信息,點擊測試,測試通過,點擊“繼續”
7.等待服務安裝成功,點擊“繼續”
8.點擊“完成”,Sentry服務到此安裝完成。
3.Sentry配置
3.1Hive配置
1.配置Hive使用Sentry服務
2.關閉Hive的用戶模擬功能
3.集群未啟用安全認證環境下,需要配置以下參數
<property> <name>sentry.hive.testing.mode</name> <value>true</value> </property>
3.2Impala配置
配置Impala與Sentry集成
3.3Hue配置
配置Hue與Sentry集成
3.4HDFS配置
配置HDFS開啟ACLs與Sentry權限同步
完成以上配置后,回到Cloudera Manager主頁,部署客戶端配置並重啟相關服務。
4.Sentry測試
4.1創建hive超級用戶
1.使用beeline連接HiveServer2,並登錄hive用戶
[root@ip-172-31-6-148 ~]# beeline Beeline version 1.1.0-cdh5.12.0 by Apache Hive beeline> !connect jdbc:hive2://localhost:10000 Enter username for jdbc:hive2://localhost:10000: hive Enter password for jdbc:hive2://localhost:10000: Connected to: Apache Hive (version 1.1.0-cdh5.12.0) Driver: Hive JDBC (version 1.1.0-cdh5.12.0) Transaction isolation: TRANSACTION_REPEATABLE_READ 0: jdbc:hive2://localhost:10000>
注意:標紅部分為輸入的hive用戶,輸入的hive用戶並未真正的校驗
2.創建一個admin角色
0: jdbc:hive2://localhost:10000> create role admin; ... INFO : OK No rows affected (2.52 seconds) 0: jdbc:hive2://localhost:10000>
3.為admin角色賦予超級權限
0: jdbc:hive2://localhost:10000> grant all on server server1 to role admin; ... INFO : OK No rows affected (0.221 seconds) 0: jdbc:hive2://localhost:10000>
4.2創建test表
使用beeline登錄hive用戶,創建一個test表,並插入測試數據
0: jdbc:hive2://localhost:10000> create table test (s1 string, s2 string) row format delimitedfields terminated by ','; ... INFO : OK No rows affected (0.592 seconds) 0: jdbc:hive2://localhost:10000> insert into test values('a','b'),('1','2'); ... INFO : OK No rows affected (20.123 seconds) 0: jdbc:hive2://localhost:10000>
4.3創建測試角色並授權給用戶組
創建兩個角色:
read:只能讀default庫test表,並授權給fayson用戶組
write:只能寫default庫test表,並授權給user_w用戶組
注意:集群所有節點必須存在fayson和user_w用戶,用戶默認用戶組與用戶名一致,賦權是針對用戶組而不是針對用戶。[root@ip-172-31-6-148 cdh-shell-master]# id fayson
[root@ip-172-31-6-148 cdh-shell-master]# useradd fayson
[root@ip-172-31-6-148 cdh-shell-master]# id fayson
uid=501(fayson) gid=501(fayson) groups=501(fayson) [root@ip-172-31-6-148 cdh-shell-master]# useradd user_w [root@ip-172-31-6-148 cdh-shell-master]# id user_w uid=502(user_w) gid=502(user_w) groups=502(user_w) [root@ip-172-31-6-148 cdh-shell-master]#
1.使用hive用戶創建創建read和write角色,並授權read角色對test表select權限,write角色對test表insert權限
0: jdbc:hive2://localhost:10000> create role read; ... INFO : OK No rows affected (0.094 seconds) 0: jdbc:hive2://localhost:10000> grant select on table test to role read; INFO : OK No rows affected (0.1 seconds) 0: jdbc:hive2://localhost:10000> create role write; ... INFO : OK No rows affected (0.105 seconds) 0: jdbc:hive2://localhost:10000> grant insert on table test to role write; ... INFO : OK No rows affected (0.112 seconds) 0: jdbc:hive2://localhost:10000>
2.為fayson用戶組授權read角色,為user_w用戶組授權write角色
0: jdbc:hive2://localhost:10000> grant role read to group fayson; … INFO : OK No rows affected (0.187 seconds) 0: jdbc:hive2://localhost:10000> grant role write to group user_w; … INFO : OK No rows affected (0.101 seconds) 0: jdbc:hive2://localhost:10000>
4.4beeline驗證
1.使用fayson用戶登錄beeline進行驗證
[root@ip-172-31-6-148 ~]# beeline Beeline version 1.1.0-cdh5.12.0 by Apache Hive beeline> !connect jdbc:hive2://localhost:10000 scan complete in 2ms Connecting to jdbc:hive2://localhost:10000 Enter username for jdbc:hive2://localhost:10000: fayson Enter password for jdbc:hive2://localhost:10000: Connected to: Apache Hive (version 1.1.0-cdh5.12.0) Driver: Hive JDBC (version 1.1.0-cdh5.12.0) Transaction isolation: TRANSACTION_REPEATABLE_READ 0: jdbc:hive2://localhost:10000> show tables; ... INFO : OK +-----------+--+ | tab_name | +-----------+--+ | test | +-----------+--+ 1 row selected (0.351 seconds) 0: jdbc:hive2://localhost:10000> select * from test; ... INFO : OK +----------+----------+--+ | test.s1 | test.s2 | +----------+----------+--+ | a | b | | 1 | 2 | +----------+----------+--+ 2 rows selected (0.24 seconds) 0: jdbc:hive2://localhost:10000> 0: jdbc:hive2://localhost:10000> insert into test values("2", "222"); Error: Error while compiling statement: FAILED: SemanticException No valid privileges User fayson does not have privileges for QUERY The required privileges: Server=server1->Db=default->Table=test->action=insert; (state=42000,code=40000) 0: jdbc:hive2://localhost:10000>
2.使用user_w用戶登錄beeline驗證
[root@ip-172-31-6-148 ~]# beeline Beeline version 1.1.0-cdh5.12.0 by Apache Hive beeline> !connect jdbc:hive2://localhost:10000 scan complete in 2ms Connecting to jdbc:hive2://localhost:10000 Enter username for jdbc:hive2://localhost:10000: user_w Enter password for jdbc:hive2://localhost:10000: Connected to: Apache Hive (version 1.1.0-cdh5.12.0) Driver: Hive JDBC (version 1.1.0-cdh5.12.0) Transaction isolation: TRANSACTION_REPEATABLE_READ 0: jdbc:hive2://localhost:10000> show tables; INFO : OK +-----------+--+ | tab_name | +-----------+--+ | test | +-----------+--+ 1 row selected (0.365 seconds) 0: jdbc:hive2://localhost:10000> select * from test; Error: Error while compiling statement: FAILED: SemanticException No valid privileges User user_w does not have privileges for QUERY The required privileges: Server=server1->Db=default->Table=test->Column=s1->action=select; (state=42000,code=40000) 0: jdbc:hive2://localhost:10000> insert into test values("2", "333"); ... INFO : Completed executing command(queryId=hive_20170902183535_56bcd189-544a-453f-9752-e40a9fed60c5); Time taken: 17.762 seconds INFO : OK No rows affected (18.035 seconds) 0: jdbc:hive2://localhost:10000>
驗證總結:
fayson用戶所屬組為fayson擁有test表讀權限,所以只能對test表進行selecth和count操作不能進行insert操作;
user_w用戶所屬組為user_w擁有test表寫權限,所以只能對test表進行insert操作不能進行select和count操作;
4.5HDFS驗證
1.切換至fayson用戶下,瀏覽和查看/user/hive/warehouse/test數據目錄及文件
[root@ip-172-31-6-148 ~]# su fayson [fayson@ip-172-31-6-148 root]$ cd /home/fayson/ [fayson@ip-172-31-6-148 ~]$ ll total 4 -rw-rw-r-- 1 fayson fayson 19 Sep 5 12:55 test.txt [fayson@ip-172-31-6-148 ~]$ hadoop fs -ls /user/hive/warehouse ls: Permission denied: user=fayson, access=READ_EXECUTE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x [fayson@ip-172-31-6-148 ~]$ hadoop fs -ls /user/hive/warehouse/test Found 1 items -rwxrwx--x+ 3 hive hive 8 2017-09-05 12:52 /user/hive/warehouse/test/000000_0 [fayson@ip-172-31-6-148 ~]$ hadoop fs -cat /user/hive/warehouse/test/000000_0 a,b 1,2 [fayson@ip-172-31-6-148 ~]$ hadoop fs -put test.txt /user/hive/warehouse/test put: Permission denied: user=fayson, access=WRITE, inode="/user/hive/warehouse/test":hive:hive:drwxrwx--x [fayson@ip-172-31-6-148 ~]$
2.切換user_w用戶下,瀏覽和查看/user/hive/warehouse/test數據目錄及文件
[root@ip-172-31-6-148 ~]# su user_w [user_w@ip-172-31-6-148 root]$ cd /home/user_w/ [user_w@ip-172-31-6-148 ~]$ cat test.txt 333,5555 eeee,dddd [user_w@ip-172-31-6-148 ~]$ hadoop fs -ls /user/hive/warehouse ls: Permission denied: user=user_w, access=READ_EXECUTE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x [user_w@ip-172-31-6-148 ~]$ hadoop fs -ls /user/hive/warehouse/test ls: Permission denied: user=user_w, access=READ_EXECUTE, inode="/user/hive/warehouse/test":hive:hive:drwxrwx--x [user_w@ip-172-31-6-148 ~]$ hadoop fs -put test.txt /user/hive/warehouse/test [user_w@ip-172-31-6-148 ~]$
測試總結:
fayson用戶所屬用戶組為fayson,該組只擁有對test表的讀權限,因此fayson用戶不能對/user/hive/warehouse目錄下除test以外的其它目錄進行查看(包含父目錄),並且不能向test目錄put文件,只能瀏覽和查看test目錄下的文件。
user_w用戶所屬用戶組為user_w,該組只擁有對test表的寫權限,因此user_w用戶不能對/user/hive/warehouse目錄下的任何目錄進行查看(包含父目錄),並且只擁有向test目錄put文件的權限。說明Sentry實現了HDFS的ACL同步。
4.6Hue驗證
1.使用admin用戶登錄Hue,分別創建fayson和user_w用戶
2.使用fayson用戶登錄Hue
可以查看test表
可以對test表進行count操作
只有SELECT權限不能向test表插入數據
FileBrower驗證
不可以瀏覽/user/hive/warehouse目錄
可以瀏覽有SELECT權限的/user/hive/warehouse/test數據目錄
可以查看/user/hive/warehouse/test目錄下的所有數據文件,但不能修改
3.使用user_w用戶登錄Hue
因為無SELECT權限,所以不能查詢表信息
不能對test表進行count操作
可以向test表中插入數據
FileBrowser
不可以瀏覽test表數據目錄的父目錄/user/hive/warehouse
無SELECT權限也不能瀏test表的數據目錄/user/hive/warehouse/test
測試總結:
fayson和user_w用戶均能通過hue界面看到test表,擁有read角色的fayson用戶組能對test表進行select和count操作,並且能通過File Browser瀏覽和查看test表的數據目錄/user/hive/warehouse/test。擁有write角色的user_w用戶組只能對test表進行insert操作,但不能通過File Browser瀏覽和查看test表的數據目錄/user/hive/warehouse/test。說明Sentry在命令行的操作和授權在Hue中依舊有效。
4.7Impala驗證
1.使用fayson用戶測試
登錄集群任意節點命令行下切換到fayson用戶下
[root@ip-172-31-6-148 ~]# su fayson [fayson@ip-172-31-6-148 root]$
在命令行執行impala-shell命令
[Not connected] > connect ip-172-31-10-118.fayson.com:21000; ... [ip-172-31-10-118.fayson.com:21000] > show tables; Query: show tables +------+ | name | +------+ | test | +------+ Fetched 1 row(s) in 0.05s [ip-172-31-10-118.fayson.com:21000] > select * from test; ... +----+----------+ | s1 | s2 | +----+----------+ | 1 | tttttttt | +----+----------+ Fetched 1 row(s) in 5.32s [ip-172-31-10-118.fayson.com:21000] > select count(*) from test; ... +----------+ | count(*) | +----------+ | 1 | +----------+ Fetched 1 row(s) in 0.14s [ip-172-31-10-118.fayson.com:21000] > insert into test values('2', 'test2'); Query: insert into test values('2', 'test2') Query submitted at: 2017-09-11 01:37:56 (Coordinator: http://ip-172-31-10-118.fayson.com:25000) ERROR: AuthorizationException: User 'fayson' does not have privileges to execute 'INSERT' on: default.test [ip-172-31-10-118.fayson.com:21000] >
2.使用user_w用戶測試
登錄集群任意節點命令行下切換到user_w用戶下
[root@ip-172-31-6-148 ~]# su user_w [user_w@ip-172-31-6-148 root]$ impala-shell
在命令行執行命令impala-shell,進行如下操作
[user_w@ip-172-31-6-148 root]$ impala-shell ... [Not connected] > connect ip-172-31-10-118.fayson.com:21000; ... Query: show tables +------+ | name | +------+ | test | +------+ Fetched 1 row(s) in 0.06s [ip-172-31-10-118.fayson.com:21000] > select * from test; Query: select * from test Query submitted at: 2017-09-11 01:41:17 (Coordinator: http://ip-172-31-10-118.fayson.com:25000) ERROR: AuthorizationException: User 'user_w' does not have privileges to execute 'SELECT' on: default.test [ip-172-31-10-118.fayson.com:21000] > select count(*) from test; Query: select count(*) from test Query submitted at: 2017-09-11 01:41:23 (Coordinator: http://ip-172-31-10-118.fayson.com:25000) ERROR: AuthorizationException: User 'user_w' does not have privileges to execute 'SELECT' on: default.test [ip-172-31-10-118.fayson.com:21000] > insert into test values('2', 'impala insert'); Query: insert into test values('2', 'impala insert') Query submitted at: 2017-09-11 01:41:48 (Coordinator: http://ip-172-31-10-118.fayson.com:25000) Query progress can be monitored at: http://ip-172-31-10-118.fayson.com:25000/query_plan?query_id=bd4a433465037682:77a7c3c400000000 Modified 1 row(s) in 0.71s
驗證總結:
Impala與Sentry集成后可以使用Sentry來進行權限管理,擁有read角色的fayson用戶組只能對test表進行select和count操作不能插入數據,擁有write角色的user_w
用戶組只能對test表插入數據不能進行select和count操作。說明Sentry實現了Hive權限與Impala的同步。
5.Sentry列權限管理驗證
1.在集群所有節點新增fayson_r用戶
2.使用beeline登錄hive用戶
使用hive用戶創建columnread角色,並為角色授權test表s1列的讀權限,將columnread角色授權給fayson_r用戶組。
[root@ip-172-31-6-148 cdh-shell-bak]# beeline Beeline version 1.1.0-cdh5.12.1 by Apache Hive beeline> !connect jdbc:hive2://localhost:10000 Enter username for jdbc:hive2://localhost:10000: hive Enter password for jdbc:hive2://localhost:10000: Connected to: Apache Hive (version 1.1.0-cdh5.12.1) Driver: Hive JDBC (version 1.1.0-cdh5.12.1) Transaction isolation: TRANSACTION_REPEATABLE_READ 0: jdbc:hive2://localhost:10000> create role columnread; ... INFO : OK No rows affected (0.225 seconds) 0: jdbc:hive2://localhost:10000> grant select(s1) on table test to role columnread; ... INFO : OK No rows affected (0.095 seconds) 0: jdbc:hive2://localhost:10000> grant role columnread to group fayson_r; ... INFO : OK No rows affected (0.091 seconds) 0: jdbc:hive2://localhost:10000>
3.使用beeline登錄fayson_r用戶測試
[root@ip-172-31-6-148 cdh-shell-bak]# beeline Beeline version 1.1.0-cdh5.12.1 by Apache Hive beeline> !connect jdbc:hive2://localhost:10000 scan complete in 2ms Connecting to jdbc:hive2://localhost:10000 Enter username for jdbc:hive2://localhost:10000: fayson_r Enter password for jdbc:hive2://localhost:10000: Connected to: Apache Hive (version 1.1.0-cdh5.12.1) Driver: Hive JDBC (version 1.1.0-cdh5.12.1) Transaction isolation: TRANSACTION_REPEATABLE_READ 0: jdbc:hive2://localhost:10000> show tables; ... INFO : OK +-----------+--+ | tab_name | +-----------+--+ | test | +-----------+--+ 1 row selected (0.304 seconds) 0: jdbc:hive2://localhost:10000> select * from test; Error: Error while compiling statement: FAILED: SemanticException No valid privileges User fayson_r does not have privileges for QUERY The required privileges: Server=server1->Db=default->Table=test->Column=s2->action=select; (state=42000,code=40000) 0: jdbc:hive2://localhost:10000> select s1 from test; ... INFO : OK +-------+--+ | s1 | +-------+--+ | a | | 1 | | 111 | | 333 | | eeee | +-------+--+ 5 rows selected (0.197 seconds) 0: jdbc:hive2://localhost:10000> select s2 from test; Error: Error while compiling statement: FAILED: SemanticException No valid privileges User fayson_r does not have privileges for QUERY The required privileges: Server=server1->Db=default->Table=test->Column=s2->action=select; (state=42000,code=40000) 0: jdbc:hive2://localhost:10000> select count(*) from test; Error: Error while compiling statement: FAILED: SemanticException No valid privileges User fayson_r does not have privileges for QUERY The required privileges: Server=server1->Db=default->Table=test->action=select; (state=42000,code=40000) 0: jdbc:hive2://localhost:10000> select count(s1) from test; ... INFO : OK +------+--+ | _c0 | +------+--+ | 5 | +------+--+ 1 row selected (23.855 seconds) 0: jdbc:hive2://localhost:10000>
4.瀏覽HDFS目錄
[fayson_r@ip-172-31-6-148 ~]$ hadoop fs -ls /user/hive/warehouse ls: Permission denied: user=fayson_r, access=READ_EXECUTE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x [fayson_r@ip-172-31-6-148 ~]$ hadoop fs -ls /user/hive/warehouse/test ls: Permission denied: user=fayson_r, access=READ_EXECUTE, inode="/user/hive/warehouse/test":hive:hive:drwxrwx--x [fayson_r@ip-172-31-6-148 ~]$
5.使用admin用戶登錄Hue,創建fayson_r用戶,然后使用fayson_r用戶登錄
測試總結:
fayson_r用戶所屬用戶組為fayson_r,該組只擁有對test表s1列的讀權限,因此在select和count的時候只能對s1列進行select和count,fayson_r用戶無權限瀏覽/user/hive/warehouse下的所有目錄;使用hue只能對test表s1列進行select和count操作,無權限瀏覽/user/hive/warehouse目錄及目錄下所有子目錄。
注意:Sentry只支持SELECT的列授權,不能用於INSERT和ALL的列授權。
6.備注
在使用beeline進行授權驗證時,只是輸入了username未做用戶信息校驗。在未啟用認證服務的集群下,該文檔的Sentry配置方式只適用於測試環境,不能用於生產環境。
在集群啟用Sentry服務后,由於Sentry不支持Hive CLI權限管理,所以建議禁用Hive CLI。但在非安全環境下,不能通過hadoop.proxyuser.hive.groups來限制訪問用戶組。
7.Hive授權參考
7.1 角色創建和刪除
create role test; drop role test;
7.2 角色授權和取消授權
grant select on table test_table to role role_name; revoke select on table test_table to role role_name;
表授權給角色
grant select on table test_table to role role_name; revoke select on table test_table to role role_name;
列授權給角色
grant select(column1,column2) on table test_table to role role_name; revoke select(column1,column2) on table test_table to role role_name;
7.3 組授權和取消授權
grant role role_name to group user_group; revoke role role_name to group user_group;
注意:Sentry適用於用戶組授權,不適用與用戶授權;
8.常見問題
不能創建角色,異常如下
0: jdbc:hive2://localhost:10000> create role admin; Error: Error whilecompiling statement: FAILED:InvalidConfigurationException hive.server2.authentication can't be none innon-testing mode (state=42000,code=40000) 0: jdbc:hive2://localhost:10000>
原因:由於集群未啟用Kerberos,需要配置sentry.hive.testing.mode為true
解決方法:參考3.1的第3步配置。