背景:
1、Apache Sentry是Cloudera公司發佈的一個Hadoop開源組件,它提供了細粒度級、基於角色的授權以及多租戶的管理模式,
2、Sentry當前可以和Hive/Hcatalog、Apache Solr 和Cloudera Impala集成, 爲這些組件提供權限管理服務。
3、基於角色的管理(role-based acess control)通過創建角色,將每個組件的權限授予給此角色,然後在用戶(組)中添加此角色,用戶便具備此角色訪問組件的權限,
4、使用sentry對hive進行權限管理時,這裏的組件可以是整個server,也可以是單個db,或者單張table.
測試如下:
1.1 查看全部數據庫
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "show databases;"
我嘗試的先創建一個庫 報錯如下:
[hadoop@uhadoop-4wvgxxla-master2 ~]$ beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "create database test;"
Transaction isolation: TRANSACTION_REPEATABLE_READ
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User hive does not have privileges for CREATEDATABASE 用戶配置單元沒有CREATEDATABASE的特權
The required privileges: Server=uhadoop-4wvgxxla-master1->action=create->grantOption=false; (state=42000,code=40000)
Closing: 0: jdbc:hive2://uhadoop-4wvgxxla-master2:10000
1.2 查看全部角色
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "show roles;"
Transaction isolation: TRANSACTION_REPEATABLE_READ
+-------+
| role |
+-------+
+-------+
No rows selected (1.151 seconds)
Beeline version 2.3.3 by Apache Hive
Closing: 0: jdbc:hive2://uhadoop-4wvgxxla-master2:10000
// 用戶角色爲空
1.3 查看當前角色
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "show current roles;"
Driver: Hive JDBC (version 2.3.3)
Transaction isolation: TRANSACTION_REPEATABLE_READ
+-------+
| role |
+-------+
+-------+
No rows selected (0.446 seconds)
Beeline version 2.3.3 by Apache Hive
Closing: 0: jdbc:hive2://uhadoop-4wvgxxla-master2:10000
// 顯示當前沒有任何的角色
1.4 查看當前用戶
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "select current_user();"
Driver: Hive JDBC (version 2.3.3)
Transaction isolation: TRANSACTION_REPEATABLE_READ
+-------+
| _c0 |
+-------+
| hive |
+-------+
1 row selected (1.124 seconds)
Beeline version 2.3.3 by Apache Hive
Closing: 0: jdbc:hive2://uhadoop-4wvgxxla-master2:10000
// 當前操作hiveserver2的用戶是hive
- hive用戶授予管理員權限
2.1 創建管理員角色admin
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "CREATE ROLE admin;"
2.2 爲admin角色授予全部server權限
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive // 進入到hiveserver2的內部之後執行如下:
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> grant all on server uhadoop-4wvgxxla-master1 to role admin;
No rows affected (0.491 seconds)
2.3 爲hive用戶賦予admin角色
//經過這一步,hive用戶已經可以作爲管理員用戶執行全部數據和權限操作。
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "GRANT ROLE admin TO GROUP hive;"
create table student(
Sno char(9) COMMENT '用戶ID',
Sname char(20) ,
Ssex char(2),
Sage int,
Sdept char(20)
);
insert into student values(200215121,'李勇','男',20,'CS');
沒有出現中文亂碼的問題,請測
驗證方式需要:
show create table xxx;
desc xxx;
desc formatted xxx;
查看3種方式是不是都沒有中文亂碼的問題
- 創建測試數據庫(使用hive用戶創建)
3.1 創建測試db1,db2
//使用管理員用戶登陸,創建db1,db2兩個數據庫。
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "create database db1;create database db2;"
// 創建測試表,並插入數據
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "create table db1.t1(id string);"
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "insert into db1.t1 values ('t1_001'),('t1_002');"
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "create table db2.t2(id string);"
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "insert into db2.t2 values ('t2_001'),('t2_002');"
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> use db1;
No rows affected (0.173 seconds)
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show tables;
+-----------+
| tab_name |
+-----------+
| t1 |
+-----------+
1 row selected (0.208 seconds)
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> select * from t1;
+---------+
| t1.id |
+---------+
| t1_001 |
| t1_002 |
+---------+
2 rows selected (0.294 seconds)
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> select * from db2.t2;
+---------+
| t2.id |
+---------+
| t2_001 |
| t2_002 |
+---------+
2 rows selected (0.304 seconds)
3.2 master1,master2節點上創建linux測試用戶user1, user2
useradd -M -s /sbin/nologin user1
useradd -M -s /sbin/nologin user2
cat /etc/passwd
user1:x:1004:1005::/home/user1:/sbin/nologin
user2:x:1005:1006::/home/user2:/sbin/nologin
3.3 hive中創建兩個角色,分別授予不同的角色權限
//創建角色role1, 授予其對db1的管理權限
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "CREATE ROLE role1;"
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "grant all on database db1 to role role1 with grant option;"
//創建角色role2, 授予其對db2的管理權限
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "CREATE ROLE role2;"
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "grant all on database db2 to role role2 with grant option;"
// show grant role role1; (查看role1角色的權限列表)
// show grant role role2; (查看role2角色的權限列表)
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show grant role role1;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| db1 | | | | role1 | ROLE | | true | 1583739035000 | -- |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
1 row selected (0.215 seconds)
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show grant role role2;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| db2 | | | | role2 | ROLE | | true | 1583739057000 | -- |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
1 row selected (0.119 seconds)
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show grant role admin;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| | | | | admin | ROLE | | false | 1583737318000 | -- |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
1 row selected (0.131 seconds)
3.4 管理員用戶登陸hive,爲兩個用戶賦予不同的角色
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "GRANT ROLE role1 TO GROUP user1;"
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "GRANT ROLE role2 TO GROUP user2;"
// show role grant group user1 (查看user1的角色列表)
// show role grant group user2(查看user2的角色列表)
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show role grant group user1;
+--------+---------------+-------------+----------+
| role | grant_option | grant_time | grantor |
+--------+---------------+-------------+----------+
| role1 | false | 0 | -- |
+--------+---------------+-------------+----------+
1 row selected (0.144 seconds)
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show role grant group user2;
+--------+---------------+-------------+----------+
| role | grant_option | grant_time | grantor |
+--------+---------------+-------------+----------+
| role2 | false | 0 | -- |
+--------+---------------+-------------+----------+
1 row selected (0.125 seconds)
4 使用user1, user2用戶登陸,驗證權限隔離
//user1登陸,只能看到db1數據庫
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user1 -e "show databases;"
// user2用戶登陸,只能看到db2數據庫
beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user2 -e "show databases;"
- 其他使用測試
5.1 將role從角色中剔除
REVOKE ROLE role1 FROM GROUP user1;
刪除role
//先查看角色列表
show roles
// 刪除角色
drop role role2;
角色權限撤銷
// 先查看角色當前授權信息
show grant role role1;
// 將db1的操作權限從role1撤銷
revoke all on database db1 from role role1;
授權語句說明:
角色授權和撤銷
GRANT ROLE role_name [, role_name] TO GROUP <groupName> [,GROUP <groupName>]
REVOKE ROLE role_name [, role_name] FROM GROUP <groupName> [,GROUP <groupName>]
權限的授予和撤銷
GRANT <PRIVILEGE> [, <PRIVILEGE> ] ON <OBJECT> <object_name> TO ROLE <roleName> [,ROLE <roleName>]
REVOKE <PRIVILEGE> [, <PRIVILEGE> ] ON <OBJECT> <object_name> FROM ROLE <roleName> [,ROLE <roleName>]
查看角色/組權限
SHOW ROLES;
SHOW CURRENT ROLES;
SHOW ROLE GRANT GROUP <groupName>;
SHOW GRANT ROLE <roleName>;
SHOW GRANT ROLE <roleName> on OBJECT <objectName>;
查看所有的角色
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show roles;
+--------+
| role |
+--------+
| admin |
| role1 |
| role2 |
+--------+
3 rows selected (0.12 seconds)
#將某個數據庫讀權限授予給某個role
GRANT SELECT ON DATABASE db_name TO ROLE role_name;
#將test 表的 S1 列的讀權限授權給role_name (TABLE也可以不寫)
GRANT SELECT(s1) ON TABLE test TO ROLE role_name;
#test表的select 權限給 role_name 角色
GRANT SELECT ON TABLE test TO ROLE role_name;
例子:
目前有2個用戶
user1 // 有db1下t1 表的所有權限
user2 // 有db2下t2 表的所有權限
目前有角色
+--------+
| role |
+--------+
| admin | //所有庫的最高權限 all
| role1 | // 只有db1庫的所有權限
| role2 | // 只有db2庫下的所有權限
+--------+
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show databases;
+------------------------+
| database_name |
+------------------------+
| db1 |
| db2 |
| default |
| temp |
| test_hive_ucloud10086 |
+------------------------+
[hadoop@uhadoop-4wvgxxla-master1 ~]$ beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user2 -e "select * from db2.t2;"
Transaction isolation: TRANSACTION_REPEATABLE_READ
+---------+
| t2.id |
+---------+
| t2_001 |
| t2_002 |
+---------+
2 rows selected (0.631 seconds)
Beeline version 2.3.3 by Apache Hive
[hadoop@uhadoop-4wvgxxla-master1 ~]$ beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user2 -e "insert into db2.t2 values ('t2_003'),('t2_004');"
Connected to: Apache Hive (version 2.3.3)
Driver: Hive JDBC (version 2.3.3)
Transaction isolation: TRANSACTION_REPEATABLE_READ
No rows affected (25.708 seconds)
再查詢一次,ok 插入成功
Transaction isolation: TRANSACTION_REPEATABLE_READ
+---------+
| t2.id |
+---------+
| t2_001 |
| t2_002 |
| t2_003 |
| t2_004 |
+---------+
4 rows selected (0.605 seconds)
Beeline version 2.3.3 by Apache Hive
Closing: 0: jdbc:hive2://uhadoop-4wvgxxla-master2:10000
接下來,我有個需求,我想把temp下的student表給user2開放
首先user2對於的role2角色要有temp庫的select權限
然後再把temp庫下的student表的select權限給到role2 這個角色
那麼user2屬於role2 角色下 自然就有了temp下的student表的select權限
GRANT SELECT ON TABLE temp.student TO ROLE role2;
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> GRANT SELECT ON TABLE temp.student TO ROLE role2;
No rows affected (0.145 seconds)
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show role grant group user2;
+--------+---------------+-------------+----------+
| role | grant_option | grant_time | grantor |
+--------+---------------+-------------+----------+
| role2 | false | 0 | -- |
+--------+---------------+-------------+----------+
1 row selected (0.129 seconds)
0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show grant role role2;
+-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| db2 | | | | role2 | ROLE | * | true | 1583739057000 | -- |
| temp | student | | | role2 | ROLE | SELECT | false | 1583740481000 | -- |
+-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
2 rows selected (0.125 seconds)
驗證如下:
[hadoop@uhadoop-4wvgxxla-master1 ~]$ beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user2 -e "show databases;"
Transaction isolation: TRANSACTION_REPEATABLE_READ
+----------------+
| database_name |
+----------------+
| db2 |
| default |
| temp |
+----------------+
3 rows selected (0.614 seconds)
[hadoop@uhadoop-4wvgxxla-master1 ~]$ beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user2 -e "use temp;show tables;"
No rows affected (0.476 seconds)
+-----------+
| tab_name |
+-----------+
| student |
+-----------+
1 row selected (0.282 seconds)
Beeline version 2.3.3 by Apache Hive
[hadoop@uhadoop-4wvgxxla-master1 ~]$ beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user2 -e "select * from temp.student;"
Transaction isolation: TRANSACTION_REPEATABLE_READ
+--------------+-----------------------+---------------+---------------+-----------------------+
| student.sno | student.sname | student.ssex | student.sage | student.sdept |
+--------------+-----------------------+---------------+---------------+-----------------------+
| 200215121 | 李勇 | 男 | 20 | CS |
+--------------+-----------------------+---------------+---------------+-----------------------+
1 row selected (0.667 seconds)
Beeline version 2.3.3 by Apache Hive
[hadoop@uhadoop-4wvgxxla-master1 ~]$ beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user2 -e "insert into temp.student values(100215122,'劉晨','女',19,'CS');"
Transaction isolation: TRANSACTION_REPEATABLE_READ
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User user2 does not have privileges for QUERY // 用戶user2沒有QUERY的特權
The required privileges: Server=uhadoop-4wvgxxla-master1->Db=temp->Table=student->action=insert->grantOption=false; (state=42000,code=40000)
Closing: 0: jdbc:hive2://uhadoop-4wvgxxla-master2:10000
參考文檔 基於 Sentry Hive 權限控制命令詳解 https://blog.csdn.net/zhangshenghang/article/details/99212770
https://docs.cloudera.com/documentation/enterprise/5-5-x/topics/sg_hive_sql.html
Sentry使用指南 https://doc.ucloud.cn/analysis/uhadoop/developer/sentrydev