【總結】Apache Sentry 服務簡介

    Sentry是一個RPC服務，將認證元數據信息存儲在關係型數據庫，並提供RPC接口檢索和操作權限。利用Kerveros支持安全訪問。Sentry Service通過後臺數據庫存儲提供認證元數據信息，不處理真實的權限驗證，當Hive,Impala等服務的配置使用Sentry權限的時候，Hive，Impala只作爲Sentry的client。

    最早的Sentry是使用policy file配置權限，逐漸版本升級過程中，目前採用關係型數據庫存儲權限角色等。使用新的Sentry服務相比於舊的policy file能夠更容易處理用戶權限，新的Sentry服務提供了更傳統的 GRANT/REVOKE語句修改權限。

早版本Sentry中的策略文件policy file:

[groups] 
manager = customers_insert_role, 
customers_select_role
analyst = customers_select_role 
[roles] 
customers_insert_role = server=server1->db=customers->table=*->action=insert 
customers_select_role = server=server1->db=customers->table=*->action=select

Sentry歷史版本功能：

• Sentry with policy files is added in CDH 5.1.0.

• Sentry with config support is added in CDH 5.5.0.

• Sentry with database-backed Sentry service is added with CDH 5.8.0.

---

Sentry中基礎名詞：

1.object Sentry認證規則所保護的一個對象，包括 server, database, table, URI, collection, and config

2.role 訪問給定object的規則集合

3.privilege 包括insert select update等

4.user 來自於能夠訪問Sentry服務的一個認證系統用戶，user可以是Kerberos的principal, LDAP的userid，或其他認證系統的標識

5.group 組，一個或者多個用戶的集合，Sentry中將role分配給group，一個組就相應擔當某個角色

6.A configured group provider determines a user’s affiliation with a group. The current release supports HDFS-backed groups and locally configured groups.

Privilege	Object
INSERT	DB, TABLE
SELECT	SERVER, DB, TABLE, COLUMN
UPDATE	COLLECTION, CONFIG
QUERY	COLLECTION, CONFIG
ALL	SERVER, TABLE, DB, URI, COLLECTION, CONFIG

---

Sentry權限模型：

Sentry使用基於角色權限模型，有如下特徵

1、允許所有用戶執行show functions，show locks等

2、允許用戶看到那些有權限的tables,databases,collections，configs等

3、HiveQL執行例如LOAD，IMPORT等操作，需要用戶有相應URI的權限

4、賦予一個URI某個權限，其子目錄也遞歸賦予這個權限，所以只需將權限grant給一個父目錄

5、CDH 5.5引入Column級別的訪問控制，之前版本的如果要控制到列級別訪問，使用View，創建一個只包含有訪問權限Column的View

Tips

    Hive中使用Sentry的時候，必須使用Beeline方式執行查詢，Hive Cli方式不支持Sentry

---

Hive On Sentry中Object層級結構關係

權限能夠賦予層級中的不同的object，一個權限如果賦予層級中一個object，則這個object子層級中的object繼承這個權限。

比如賦予DATABASE的SELECT權限給用戶A，則用戶A擁有DATABASE下所有Object的SELECT權限

權限類型和Object的對應關係

Privilege	Object
INSERT	DB, TABLE
SELECT	DB, TABLE, VIEW, COLUMN
ALL	SERVER, TABLE, DB, URI

權限層級

Base Object	Granular privileges on object	Container object that contains the base object	Privileges on container object that implies privileges on the base object
DATABASE	ALL	SERVER	ALL
TABLE	INSERT	DATABASE	ALL
TABLE	SELECT	DATABASE	ALL
COLUMN	SELECT	DATABASE	ALL
VIEW	SELECT	DATABASE	ALL

Hive&Impala操作權限表

Operation	Scope	Privileges Required	URI
CREATE DATABASE	SERVER	ALL
DROP DATABASE	DATABASE	ALL
CREATE TABLE	DATABASE	ALL
DROP TABLE	TABLE	ALL
CREATE VIEW-This operation is allowed if you have column-level SELECTaccess to the columns being used.	DATABASE; SELECT on TABLE;	ALL
ALTER VIEW-This operation is allowed if you have column-level SELECTaccess to the columns being used.	VIEW/TABLE	ALL
DROP VIEW	VIEW/TABLE	ALL
ALTER TABLE .. ADD COLUMNS	TABLE	ALL
ALTER TABLE .. REPLACE COLUMNS	TABLE	ALL
ALTER TABLE .. CHANGE column	TABLE	ALL
ALTER TABLE .. RENAME	TABLE	ALL
ALTER TABLE .. SET TBLPROPERTIES	TABLE	ALL
ALTER TABLE .. SET FILEFORMAT	TABLE	ALL
ALTER TABLE .. SET LOCATION	TABLE	ALL	URI
ALTER TABLE .. ADD PARTITION	TABLE	ALL
ALTER TABLE .. ADD PARTITION location	TABLE	ALL	URI
ALTER TABLE .. DROP PARTITION	TABLE	ALL
ALTER TABLE .. PARTITION SET FILEFORMAT	TABLE	ALL
SHOW CREATE TABLE	TABLE	SELECT/INSERT
SHOW PARTITIONS	TABLE	SELECT/INSERT
SHOW TABLES-Output includes all the tables for which the user has table-level privileges and all the tables for which the user has some column-level privileges.	TABLE	SELECT/INSERT
SHOW GRANT ROLE-Output includes an additional field for any column-level privileges.	TABLE	SELECT/INSERT
DESCRIBE TABLE-Output shows all columns if the user has table level-privileges or SELECT privilege on at least one table column	TABLE	SELECT/INSERT
LOAD DATA	TABLE	INSERT	URI
SELECT-You can grant the SELECT privilege on a view to give users access to specific columns of a table they do not otherwise have access to. -See Column-level Authorization for details on allowed column-level operations.	VIEW/TABLE; COLUMN	SELECT
INSERT OVERWRITE TABLE	TABLE	INSERT
CREATE TABLE .. AS SELECT-This operation is allowed if you have column-level SELECTaccess to the columns being used.	DATABASE; SELECT on TABLE	ALL
USE <dbName>	Any
CREATE FUNCTION	SERVER	ALL
ALTER TABLE .. SET SERDEPROPERTIES	TABLE	ALL
ALTER TABLE .. PARTITION SET SERDEPROPERTIES	TABLE	ALL
Hive-Only Operations
INSERT OVERWRITE DIRECTORY	TABLE	INSERT	URI
Analyze TABLE	TABLE	SELECT + INSERT
IMPORT TABLE	DATABASE	ALL	URI
EXPORT TABLE	TABLE	SELECT	URI
ALTER TABLE TOUCH	TABLE	ALL
ALTER TABLE TOUCH PARTITION	TABLE	ALL
ALTER TABLE .. CLUSTERED BY SORTED BY	TABLE	ALL
ALTER TABLE .. ENABLE/DISABLE	TABLE	ALL
ALTER TABLE .. PARTITION ENABLE/DISABLE	TABLE	ALL
ALTER TABLE .. PARTITION.. RENAME TO PARTITION	TABLE	ALL
MSCK REPAIR TABLE	TABLE	ALL
ALTER DATABASE	DATABASE	ALL
DESCRIBE DATABASE	DATABASE	SELECT/INSERT
SHOW COLUMNS-Output for this operation filters columns to which the user does not have explicit SELECT access	TABLE	SELECT/INSERT
CREATE INDEX	TABLE	ALL
DROP INDEX	TABLE	ALL
SHOW INDEXES	TABLE	SELECT/INSERT
GRANT PRIVILEGE	Allowed only for Sentry admin users
REVOKE PRIVILEGE	Allowed only for Sentry admin users
SHOW GRANT	Allowed only for Sentry admin users
SHOW TBLPROPERTIES	TABLE	SELECT/INSERT
DESCRIBE TABLE .. PARTITION	TABLE	SELECT/INSERT
ADD JAR	Not Allowed
ADD FILE	Not Allowed
DFS	Not Allowed
Impala-Only Operations
EXPLAIN	TABLE; COLUMN	SELECT
INVALIDATE METADATA	SERVER	ALL
INVALIDATE METADATA <table name>	TABLE	SELECT/INSERT
REFRESH <table name> or REFRESH <table name> PARTITION (<partition_spec>)	TABLE	SELECT/INSERT
DROP FUNCTION	SERVER	ALL
COMPUTE STATS	TABLE	ALL

通過HUE管理Sentry:http://10120275.blog.51cto.com/10110275/1956777