hive集成sentry

原创
2017/05/08 09:46
阅读数 2.1K

##1、安装配置sentry 详细步骤见上一篇安装配置sentry

##2、配置hive ###2.1 Hive-server2集成Sentry 在 /etc/hive/conf/hive-site.xml中添加:

<property>
   <name>hive.security.authorization.task.factory</name>
   <value>org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl</value>
</property>
<property>
   <name>hive.server2.session.hook</name>
   <value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value>
</property>
<property>
   <name>hive.sentry.conf.url</name>
   <value>file:///etc/hive/conf/sentry-site.xml</value>
</property>

在/etc/hive/conf目录下创建sentry.xml文件,并添加:

<property>
    <name>hive.sentry.server</name>
    <value>Sentry_HOSTNAME</value>
</property>
<property>
    <name>sentry.service.security.mode</name>
    <value>none</value>
</property>
<property>
    <name>sentry.hive.provider.backend</name>
    <value>org.apache.sentry.provider.db.SimpleDBProviderBackend</value>
</property>
<property>
    <name>sentry.service.client.server.rpc-address</name>
    <value>Sentry_HOSTNAME</value>
</property>
<property>
    <name>sentry.service.client.server.rpc-port</name>
    <value>8038</value>
</property>
<property>
    <name>sentry.service.client.server.rpc-connection-timeout</name>
    <value>200000</value>
</property>
<property>
    <name>hive.sentry.provider</name>
    <value>org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider</value>
</property>
<property>
    <name>hive.sentry.failure.hooks</name>
    <value>com.cloudera.navigator.audit.hive.HiveSentryOnFailureHook</value>
</property>
<property>
    <name>sentry.hive.testing.mode</name>
     <value>true</value>
</property>

###2.2 Hive Metastore集成Sentry 在 /etc/hive/conf/hive-site.xml中添加:

<property>
<name>hive.metastore.filter.hook</name>
<value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value>
</property>

<property>  
    <name>hive.metastore.pre.event.listeners</name>  
    <value>org.apache.sentry.binding.metastore.MetastoreAuthzBinding</value>  
    <description>list of comma separated listeners for metastore events.</description>
</property>

<property>
    <name>hive.metastore.event.listeners</name>  
    <value>org.apache.sentry.binding.metastore.SentryMetastorePostEventListener</value>  
    <description>list of comma separated listeners for metastore, post events.</description>
</property>

###2.3重启hive 先将sentry相关的jar包拷到hive的home目录下的lib目录下:

cp /usr/lib/sentry/lib/sentry-*.jar /usr/lib/hive/lib/
cp /usr/lib/sentry/lib/shiro-*.jar /usr/lib/hive/lib/
/etc/init.d/hive-server2 restart

##3、测试 使用hive用户连接beeline:

beeline> !connect jdbc:hive2://10.205.58.36:10000
scan complete in 3ms
Connecting to jdbc:hive2://10.205.58.36:10000
Enter username for jdbc:hive2://10.205.58.36:10000: hive
Enter password for jdbc:hive2://10.205.58.36:10000: 

查看数据库:

0: jdbc:hive2://10.205.58.36:10000> show databases;
+----------------+--+
| database_name  |
+----------------+--+
| app            |
| default        |
| hbase          |
| tmp            |
| web            |
+----------------+--+

现在以一个简单的需求来做一个权限分配示例: hive属于admin role,对所有数据库有all权限; etl属于etl role,对app,web库有select权限; analyst属于analyst role,对hhbase库有select权限;

首先在系统中创建etl、analyst用户和组,hive已默认存在:

useradd etl
useradd analyst

hive连接beeline创建role并赋权:

 jdbc:hive2://10.205.58.36:10000> CREATE ROLE admin;
 jdbc:hive2://10.205.58.36:10000> GRANT ROLE admin TO GROUP hive;
 jdbc:hive2://10.205.58.36:10000> GRANT ALL ON server SentryHostname to role admin;
 jdbc:hive2://10.205.58.36:10000> 
 jdbc:hive2://10.205.58.36:10000> CREATE ROLE etl; 
 jdbc:hive2://10.205.58.36:10000> GRANT ROLE etl TO GROUP etl;
 jdbc:hive2://10.205.58.36:10000>GRANT SELECT ON DATABASE app TO ROLE etl;GRANT SELECT ON DATABASE web TO ROLE etl;
......

hive属于admin角色,具有管理员权限,可以查看所有角色:

0: jdbc:hive2://10.205.58.36:10000> show roles;
+----------+--+
|   role   |
+----------+--+
| etl      |
| analyst  |
| admin    |
+----------+--+

查看所有权限:

0: jdbc:hive2://10.205.58.36:10000> SHOW GRANT ROLE admin;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *         |        |            |         | admin           | ROLE            | *          | false         | 1493962544757000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+

以etl用户连接beeline:

beeline> !connect jdbc:hive2://10.205.58.36:10000
scan complete in 2ms
Connecting to jdbc:hive2://10.205.58.36:10000
Enter username for jdbc:hive2://10.205.58.36:10000: etl
Enter password for jdbc:hive2://10.205.58.36:10000: 

etl用户只能看到default、app、web库:

0: jdbc:hive2://10.205.58.36:10000> show databases;
+----------------+--+
| database_name  |
+----------------+--+
| app            |
| default        |
| web            |
+----------------+--+

etl属于普通角色,不能看到所有角色,可以查看当前的角色。

0: jdbc:hive2://10.205.58.36:10000> show roles;
ERROR : Error processing Sentry command: Access denied to etl.Please grant admin privilege to etl.
ERROR : FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: Access denied to etl
INFO  : Completed executing command(queryId=hive_20170505180707_737ce3c6-aade-4785-98a7-b66dda4f982f); Time taken: 0.009 seconds
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: Access denied to etl (state=08S01,code=1)


0: jdbc:hive2://10.205.58.36:10000> show current roles;
+-------+--+
| role  |
+-------+--+
| etl   |
+-------+--+

查看其所有的权限:

0: jdbc:hive2://10.205.58.36:10000> SHOW GRANT ROLE etl;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| app       |        |            |         | etl             | ROLE            | select     | false         | 1493965736909000  | --       |
| web       |        |            |         | etl             | ROLE            | select     | false         | 1493965737148000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
展开阅读全文
打赏
2
8 收藏
分享
加载中
楼主能不能加个qq问个问题啊
2018/06/04 15:03
回复
举报
get
2017/05/08 14:29
回复
举报
更多评论
打赏
2 评论
8 收藏
2
分享
返回顶部
顶部