版权声明:本文为博主原创文章,未经博主允许不得转载。博客地址:http://www.fanlegefan.com/ https://blog.csdn.net/woloqun/article/details/83538308
环境
apache-hive-2.3.3-bin
apache-sentry-2.1.0-bin
sentry是目前最新的版本,支持hive的最高版本为2.3.3,hive版本如果高于2.3.3,会出一些版本兼容问题[亲测]
hive快速安装
wget http://mirrors.shu.edu.cn/apache/hive/hive-2.3.3/apache-hive-2.3.3-bin.tar.gz
tar -zxvf apache-hive-2.3.3-bin.tar.gz
配置hive-site.xml
mv hive-default.xml.template hive-site.xml
mkdir -p /home/xiaobin/soft/apache-hive-2.3.3-bin/tmpdir
vi hive-site.xml
<property>
<name>system:java.io.tmpdir</name>
<value>/home/xiaobin/soft/apache-hive-2.3.3-bin/tmpdir</value>
</property>
<property>
<name>system:user.name</name>
<value>master</value>
</property>
<property>
<name>javax.jdo.option.ConnectionURL</name>
<value>jdbc:mysql://192.168.1.115/hive2?createDatabaseIfNotExist=true&useUnicode=true</value>
</property>
<property>
<name>javax.jdo.option.ConnectionUserName</name>
<value>root</value>
</property>
<property>
<name>javax.jdo.option.ConnectionPassword</name>
<value>123456</value>
</property>
<property>
<name>javax.jdo.option.ConnectionDriverName</name>
<value>com.mysql.jdbc.Driver</value>
</property>
copy mysql-connector驱动
cp mysql-connector-java.jar apache-hive-2.3.3-bin/lib/
创建元数据数据库
mysql> create database hive2;
Query OK, 1 row affected (0.01 sec)
初始化元数据
schematool -dbType mysql -initSchema
sentry安装
下载
http://sentry.apache.org/general/downloads.html
wget http://apache.01link.hk/sentry/2.1.0/apache-sentry-2.1.0-bin.tar.gz
tar -zxvf apache-sentry-2.1.0-bin.tar.gz
config
cp sentry-site.xml.service.example sentry-site.xml
vi sentry-site.xml
<property>
<name>sentry.hive.server</name>
<value>server1</value>
</property>
<property>
<name>sentry.verify.schema.version</name>
<value>true</value>
</property>
<property>
<name>sentry.service.allow.connect</name>
<value>hive,impala,hue,hdfs</value>
<description>comma separated list of users - List of users that are allowed to connect to the service (eg Hive, Impala) </description>
</property>
<property>
<name>sentry.store.jdbc.url</name>
<value>jdbc:mysql://localhost:3306/sentry</value>
<description>JDBC connection URL for the backed DB</description>
</property>
<property>
<name>sentry.store.jdbc.user</name>
<value>sentry</value>
<description>The username of the user that connects to the Sentry database</description>
</property>
<property>
<name>sentry.store.jdbc.password</name>
<value>sentry</value>
<description>Sentry password for backend JDBC user </description>
</property>
<property>
<name>sentry.service.server.keytab</name>
<value></value>
<description>Keytab for service principal</description>
</property>
<property>
<name>sentry.service.server.rpcport</name>
<value>8038</value>
<description> TCP port number for service</description>
</property>
<property>
<name>sentry.service.server.rpcaddress</name>
<value>0.0.0.0</value>
<description> TCP interface for service to bind to</description>
</property>
<property>
<name>sentry.store.jdbc.driver</name>
<value>com.mysql.jdbc.Driver</value>
<description>Backend JDBC driver - org.apache.derby.jdbc.EmbeddedDriver (only when dbtype = derby) JDBC Driver class for the backed DB</description>
</property>
<property>
<name>sentry.service.admin.group</name>
<value>hive,impala,hue,hdfs</value>
<description>Comma separates list of groups. List of groups allowed to make policy updates</description>
</property>
<property>
<name>sentry.store.group.mapping</name>
<value>org.apache.sentry.provider.common.HadoopGroupMappingService</value>
<description>
Group mapping class for Sentry service. org.apache.sentry.provider.file.LocalGroupMapping service can be used for local group mapping. </description>
</property>
<property>
<name>sentry.store.group.mapping.resource</name>
<value> </value>
<description> Policy file for group mapping. Policy file path for local group mapping, when sentry.store.group.mapping is set to LocalGroupMapping Service class.</description>
</property>
<property>
<name>sentry.service.security.mode</name>
<value>none</value>
<description>Options: kerberos, none. Authentication mode for Sentry service. Currently supports Kerberos and trusted mode </description>
</property>
<property>
<name>sentry.service.server.principal</name>
<value> </value>
<description>Service Kerberos principal</description>
</property>
<property>
<name>sentry.service.web.enable</name>
<value>true</value>
<description>Enable web service</description>
</property>
<property>
<name>sentry.service.web.authentication.type</name>
<value>NONE</value>
<description>Options: kerberos, NONE. Authentication mode for Sentry web service.</description>
</property>
<property>
<name>sentry.service.web.authentication.kerberos.keytab</name>
<value></value>
<description>Keytab for web service principal</description>
</property>
<property>
<name>sentry.service.web.authentication.kerberos.principal</name>
<value></value>
<description>Web service Kerberos principal</description>
</property>
<property>
<name>sentry.service.web.authentication.allow.connect.users</name>
<value></value>
<description>comma separated list of users - List of users that are allowed to connect to the web service (eg Hive, Impala) </description>
</property>
创建sentry元数据数据库
Create Database sentry;
Create User sentry Identified By 'sentry';
Grant All On sentry.* To sentry@'localhost' Identified By 'sentry';
Grant All On sentry.* To sentry@'%' Identified By 'sentry';
flush privileges;
复制mysql-connector驱动
cp mysql-connector-java.jar apache-sentry-2.1.0-bin/lib/
初始化元数据
sentry --command schema-tool --conffile apache-sentry-2.1.0-bin/conf/sentry-site.xml --dbType mysql --initSchema
启动service
./sentry --command service --conffile apache-sentry-2.1.0-bin/conf/sentry-site.xml
查看是否启动成功
netstat -anpl|grep 8038
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:8038 0.0.0.0:* LISTEN 11950/java
hive集成sentry
copy sentry 客户端配置文件
cp apache-sentry-2.1.0-bin/conf/sentry-site.xml.hive-client.example apache-hive-2.3.3-bin/conf/
cd apache-hive-2.3.3-bin/conf/
mv sentry-site.xml.hive-client.example sentry-site.xml
配置$HIVE_HOME/conf/sentry-site.xml
<property>
<name>sentry.service.security.mode</name>
<value>none</value>
<description>Options: kerberos, none. Authentication mode for Sentry service. Currently supports Kerberos and trusted mode </description>
</property>
<property>
<name>sentry.service.client.server.rpc-addresses</name>
<value>localhost</value>
<description> TCP address of the sentry store server</description>
</property>
<property>
<name>sentry.service.client.server.rpc-port</name>
<value>8038</value>
<description>Port # of the sentry store server</description>
</property>
<property>
<name>sentry.service.client.server.rpc-connection-timeout</name>
<value>200000</value>
<description>Client timeout default(200000) RPC connection timeout in milisecs</description>
</property>
<property>
<name>sentry.metastore.service.users</name>
<value>hive</value>
<description>
Comma separated list of users
List of service users (eg hive, impala) to bypass
the Sentry metastore authorization. These
services handle the metadata authorization
on their side.
</description>
</property>
<!--
Some common client properties same as file
based provider
-->
<property>
<name>sentry.hive.provider</name>
<value>org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider</value>
<description> Deprecated name: hive.sentry.provider. Group mapping which should be used at client side</description>
</property>
<property>
<name>sentry.hive.server</name>
<value>server1</value>
<description> Deprecated name: hive.sentry.server. Defaut: HS2. Hive Server2 Server identifier like "server1"</description>
</property>
<property>
<name>sentry.hive.failure.hooks</name>
<value> </value>
<description>Deprecated Name: hive.sentry.failure.hooks</description>
</property>
<property>
<name>sentry.hive.testing.mode</name>
<value>true</value>
</property>
<property>
<name>sentry.hive.provider.backend</name>
<value>org.apache.sentry.provider.db.SimpleDBProviderBackend</value>
<description> Options: {org.apache.sentry.provider.db.SimpleDBProviderBackend, org.apache.sentry.provider.file.SimpleFileProviderBackend}
Privilege provider to be used, we support file based or db based
</description>
</property>
vi hive-site.xml
<property>
<name>hive.metastore.pre.event.listeners</name>
<value>org.apache.sentry.binding.metastore.MetastoreAuthzBinding</value>
</property>
<property>
<name>hive.metastore.event.listeners</name>
<value>org.apache.sentry.binding.metastore.SentrySyncHMSNotificationsPostEventListener</value>
</property>
<property>
<name>hive.server2.enable.impersonation</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.task.factory</name>
<value>org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl</value>
</property>
<property>
<name>hive.server2.session.hook</name>
<value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value>
</property>
<property>
<name>hive.sentry.conf.url</name>
<value>file:///home/xiaobin/soft/apache-hive-2.3.3-bin/conf/sentry-site.xml</value>
</property>
copy sentry jars
cp apache-sentry-2.1.0-bin/lib/sentry-*.jar apache-hive-2.3.3-bin/lib/
cp apache-sentry-2.1.0-bin/lib/shiro-* apache-hive-2.3.3-bin/lib/
启动hiveserver2
hiveserver2 --hiveconf hive.root.logger=INFO,console
查看hiveserver2监听端口
netstat -anpl|grep 10000
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 12231/java