1. 在Hive集群所有节点创建两个组reader、writer,并分别在对应的组下创建reader、writer用户
[root@fan102 ~]# groupadd reader
[root@fan102 ~]# useradd -g reader reader
[root@fan102 ~]# passwd reader
[root@fan102 ~]# groupadd writer
[root@fan102 ~]# useradd -g writer writer
[root@fan102 ~]# passwd writer2. 使用Sentry管理员用户hive通过beeline客户端连接HiveServer2
[root@fan102 ~]# kinit -kt /var/keytab/hive.keytab hive/[email protected]
[root@fan102 ~]# beeline -u "jdbc:hive2://fan102:10000/;principal=hive/[email protected]"2.1.1 创建Role(reader_role,writer_role)
> CREATE ROLE reader_role;
> CREATE ROLE writer_role;2.1.2 销毁Role(writer_role)
> DROP ROLE writer_role;2.2.1 为role赋予权限
> GRANT select ON DATABASE dd TO ROLE reader_role;
> GRANT insert ON DATABASE dd TO ROLE writer_role;2.2.2 如果权限赋予要精确到表,那么可以用以下方式
> GRANT insert ON TABLE dd.teacher TO ROLE writer_role;2.2.3 撤销权限(结合GRANT可实现权限修改操作)
> REVOKE insert ON DATABASE dd FROM ROLE writer_role;
> REVOKE insert ON TABLE dd.teacher FROM ROLE writer_role;2.3.1 将role授予用户组
> GRANT ROLE reader_role TO GROUP reader;
> GRANT ROLE writer_role TO GROUP writer;2.3.2 撤销role授予用户组
> REVOKE ROLE writer_role FROM GROUP writer;3. 查看权限授予情况
3.1 查看所有role(管理员)
> SHOW ROLES;3.2 查看指定用户组的role(管理员)
> SHOW ROLE GRANT GROUP reader;3.3 查看当前认证用户的role
> SHOW CURRENT ROLES;3.4 查看指定ROLE的具体权限(管理员)
> SHOW GRANT ROLE reader_role;3.5 查看某个角色所有已授权的组
当前没有像(SHOW GRANT ROLE reader_role;)的语句来获取角色下所有已授权的用户组,但可以通过Hue的管理界面或直接使用SQL查询Sentry数据库的方式获取。
SELECT g.GROUP_NAME
FROM SENTRY_GROUP g
JOIN SENTRY_ROLE_GROUP_MAP rg
on rg.GROUP_ID = g.GROUP_ID
JOIN SENTRY_ROLE r
ON r.ROLE_ID = rg.ROLE_ID
WHERE r.ROLE_NAME='reader_role'4. 权限测试
4.1 为reader、writer创建Kerberos主体
[root@fan102 ~]# kadmin.local -q "addprinc reader/reader"
Authenticating as principal root/[email protected] with password.
WARNING: no policy specified for reader/[email protected]; defaulting to no policy
Enter password for principal "reader/[email protected]": (输入密码)
Re-enter password for principal "reader/[email protected]": (输入密码)
Principal "writer/[email protected]" created.
[root@fan102 ~]# kadmin.local -q "addprinc writer/writer"
Authenticating as principal root/[email protected] with password.
WARNING: no policy specified for writer/[email protected]; defaulting to no policy
Enter password for principal "reader/[email protected]": (输入密码)
Re-enter password for principal "writer/[email protected]": (输入密码)
Principal "writer/[email protected]" created.4.2 将keytab文件生成到指定目录/var/keytab/
[root@fan102 ~]# kadmin.local -q "xst -k /var/keytab/writer.keytab writer/[email protected]"
[root@fan102 ~]# kadmin.local -q "xst -k /var/keytab/reader.keytab reader/[email protected]"4.3 使用reader登录HiveServer2,查询dd库下的任意一张表
[root@fan102 ~]# kinit -kt /var/keytab/reader.keytab reader/[email protected]
[root@fan102 ~]# beeline -u "jdbc:hive2://fan102:10000/;principal=hive/[email protected]"4.4 使用writer登录HiveServer2,查询dd库下的任意一张表
[root@fan102 ~]# kinit -kt /var/keytab/writer.keytab writer/[email protected]
[root@fan102 ~]# beeline -u "jdbc:hive2://fan102:10000/;principal=hive/[email protected]"4.5 查询结果
reader有对于dd库中表的查询权限,而writer没有。说明授权生效。5. hdfs用户(可不创建)实例为创建cat1用户文件,并归属域cats用户的cat1用户下
hadoop fs -mkdir /user/cat1
hadoop fs -chown cats:cat1 /user/cat1
6. 补充
| 用户 | 组 | 条件 | |
| Linux | √ | √ | 可分开创建 |
| kerberos | √ | √ | 同时创建 |
| hdfs | √ | √ | 同时创建 |
| hive | 无需创建用户,根据kerberos实体区分 |
+++++++++++++++++++++++++++++++++++++++++
+ 如有问题可+Q:1602701980 共同探讨 +
+++++++++++++++++++++++++++++++++++++++++