本文介紹在開啓hbase權限控制時,hbase shell、phoenix shell、phoenix jdbc代碼使用指南。
hbase版本:Version 1.2.0-cdh5.7.0
phoenix版本:4.8.2
文章目錄
1. 開啓hbase acl訪問控制
1.1 當沒有開啓hbase acl訪問控制時,如果直接使用java代碼調用權限相關api會提示報錯:
org.apache.hadoop.hbase.TableNotFoundException: hbase:acl
1.2 如果使用hbase shell操作,報錯信息如下:
hbase(main):002:0> scan ‘hbase:acl’
ROW COLUMN+CELL
ERROR: Unknown table hbase:acl!
1.3 修改hbase-site.xml,添加下面配置項。重啓hbase啓用hbase acl
<property>
<name>hbase.security.authentication</name>
<value>simple</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController, org.apache.hadoop.hbase.security.token.TokenProvider</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
<name>hbase.coprocessor.regionserver.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
<name>hbase.security.exec.permission.checks</name>
<value>true</value>
</property>
<property>
<name>hfile.format.version</name>
<value>3</value>
</property>
1.4 測試hbase acl權限是否生效
使用hbase(superuser)用戶登錄hbase客戶端> hbase shell
hbase(main):002:0> scan 'hbase:acl'
ROW COLUMN+CELL
0 row(s) in 0.1560 seconds
2. 配置hbase的namespace映射爲phoenix數據庫
2.1 修改hbase-site.xml,增加下面配置項並重啓bhase,修改後hbase namespace會映射爲數據庫的schema
<property>
<name>phoenix.schema.isNamespaceMappingEnabled</name>
<value>true</value>
</property>
<property>
<name>phoenix.schema.mapSystemTablesToNamespace</name>
<value>true</value>
</property>
3. hbase shell常用操作
3.1 list //查看所有hbase表
3.2 list_namespace //查看所有命名空間
3.3 create_namespace ‘ns1’ //創建命名空間,相對於數據庫的schema
3.4 create ‘ns1:t1’, ‘cf1’ //在命名空間ns1下創建hbase表t1,需要指定一個column family,否則報錯
3.5 put ‘ns1:t1’, ‘r1’, ‘cf1:c1’, ‘aaaaaaaa’ // 插入一行數據到ns1:t1表,rowkey爲r1,列族cf1,字段爲c1:
3.6 get ‘ns1:t1’, ‘r1’ //獲取ns1:t1表,rowkey爲r1的數據
4. hbase shell授權操作
4.1 hbase acl有RWXCA共5種權限,分別對應讀、寫、執行、創建、管理
grant ‘user1’, ‘R’, ‘t1’ //對錶t1給user1用戶授予’RWXCA’權限
4.2 在hbase shell輸入grant列表可以看到詳細的授權語法
hbase(main):001:0> grant
ERROR: First argument should be a String
Here is some help for this command:
Grant users specific rights.
Syntax : grant <user>, <permissions> [, <@namespace> [, <table> [, <column family> [, <column qualifier>]]]
permissions is either zero or more letters from the set "RWXCA".
READ('R'), WRITE('W'), EXEC('X'), CREATE('C'), ADMIN('A')
Note: Groups and users are granted access in the same way, but groups are prefixed with an '@'
character. In the same way, tables and namespaces are specified, but namespaces are
prefixed with an '@' character.
For example:
hbase> grant 'bobsmith', 'RWXCA'
hbase> grant '@admins', 'RWXCA'
hbase> grant 'bobsmith', 'RWXCA', '@ns1'
hbase> grant 'bobsmith', 'RW', 't1', 'f1', 'col1'
hbase> grant 'bobsmith', 'RW', 'ns1:t1', 'f1', 'col1'
4.3 權限查看
user_permission ‘db1:t1’ //查看該表上有權限的用戶
user_permission ‘@db1’ //查看該namespace有權限的用戶
scan ‘hbase:acl’ //掃描所有權限列表
5. phoenix shell操作
5.1 使用操作系統hbase用戶登錄phoenix客戶端,!table命令查看所有有權限的表
[hbase@vm71 ~]$ /usr/lib/phoenix/bin/sqlline.py
0: jdbc:phoenix:> !table
+------------+--------------+-------------+---------------+----------+------------+----------------------------+-----------------+--------------+-----------------+------------+
| TABLE_CAT | TABLE_SCHEM | TABLE_NAME | TABLE_TYPE | REMARKS | TYPE_NAME | SELF_REFERENCING_COL_NAME | REF_GENERATION | INDEX_STATE | IMMUTABLE_ROWS | SALT_BUCKE |
+------------+--------------+-------------+---------------+----------+------------+----------------------------+-----------------+--------------+-----------------+------------+
| | SYSTEM | CATALOG | SYSTEM TABLE | | | | | | false | null |
| | SYSTEM | FUNCTION | SYSTEM TABLE | | | | | | false | null |
| | SYSTEM | SEQUENCE | SYSTEM TABLE | | | | | | false | null |
| | SYSTEM | STATS | SYSTEM TABLE | | | | | | false | null |
| | | DDD | TABLE | | | | | | false | null |
+------------+--------------+-------------+---------------+----------+------------+----------------------------+-----------------+--------------+-----------------+------------+
0: jdbc:phoenix:>
5.2 如果要使用其它系統賬號執行sqlline.py,需要根據報錯提示信息額外授權,或者直接grant ‘user1’, ‘RWXCA’, ‘@SYSTEM’
6. phoenix與hbase表的映射
6.1 phoenix項目構造在hbase之上,元信息報錯SYSTEM命名空間下的CATALOG、FUNCTION、MUTEX、SEQUENCE、STATS表內。所有phoenix表一定是hbase表,hbase表不一定是hbase表。
已存在的hbase表需要設置phoenix映射才能讀取到,否則提示找不到表
–建立映射
CREATE TABLE “t01” ( “ROW” varchar primary key, “cf1”.“c1” varchar);
7. 使用指定賬號執行phoenix jdbc代碼
// 使用代理用戶userxxx執行查詢
String proxyUser = "userxxx";
String querySQL = "select * from t01";
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(proxyUser);
ugi.doAs(new PrivilegedAction<Void>() {
@Override
public Void run() {
Connection conn = null;
try {
Class.forName("org.apache.phoenix.jdbc.PhoenixDriver");
Properties properties = new Properties();
properties.setProperty("phoenix.schema.mapSystemTablesToNamespace", "true");
properties.setProperty("phoenix.schema.isNamespaceMappingEnabled", "true");
conn = DriverManager.getConnection(url, properties);
PreparedStatement statement = conn.prepareStatement(querySQL);
ResultSet rs = statement.executeQuery();
// print resultset
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException e) {
e.printStackTrace();
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException e) {
e.printStackTrace();
}
}
return null;
}
});
8. phoenix存在的問題一欄
- 使用phoenix jdbc創建表如果沒指定列族,列族column family默認是:0
- phoenix表不同列族下可有同名的列,但是jdbc sql查詢出來沒有列族名
- select * from t1 沒權限的列也會查詢出來
- default庫使用空串“”代替,比如查詢default庫下的t1表:select * from “”.“t1”
- 庫名、表名必須使用雙引號包裹起來,否則會轉換爲大寫的庫名、表名導致找不到表,比較蛋疼
- phoenix指定用戶操作hbase,4.8.2版本QueryServer的phoenix.queryserver.withRemoteUserExtractor有bug,只有開啓了kerberos才能起效