kerberos:
- 进入kerberos命令行
[root@quickstart opt]# kadmin.local
Authenticating as principal test/admin@CLOUDERA with password.
- 查看所有的principal
kadmin.local: list_principals
HTTP/quickstart.cloudera@CLOUDERA
K/M@CLOUDERA
cloudera-scm/admin@CLOUDERA
hdfs/quickstart.cloudera@CLOUDERA
hive/quickstart.cloudera@CLOUDERA
hue/quickstart.cloudera@CLOUDERA
kadmin/admin@CLOUDERA
kadmin/changepw@CLOUDERA
kadmin/quickstart.cloudera@CLOUDERA
krbtgt/CLOUDERA@CLOUDERA
kylin/quickstart.cloudera@CLOUDERA
mapred/quickstart.cloudera@CLOUDERA
sentry/quickstart.cloudera@CLOUDERA
test/quickstart.cloudera@CLOUDERA
yarn/quickstart.cloudera@CLOUDERA
zookeeper/quickstart.cloudera@CLOUDERA
kadmin.local:
- 导出principal对应的keytab
kadmin.local: xst -norandkey -k /opt/hive.keytab hive/quickstart.cloudera@CLOUDERA
Entry for principal hive/quickstart.cloudera@CLOUDERA with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/opt/hive.keytab.
Entry for principal hive/quickstart.cloudera@CLOUDERA with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/opt/hive.keytab.
Entry for principal hive/quickstart.cloudera@CLOUDERA with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/opt/hive.keytab.
Entry for principal hive/quickstart.cloudera@CLOUDERA with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/opt/hive.keytab.
Entry for principal hive/quickstart.cloudera@CLOUDERA with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/opt/hive.keytab.
kadmin.local:
quit退出后可在opt目录下查看:
-rw------- 1 root root 706 Nov 21 15:53 hive.keytab
- 登录这个principal
[root@quickstart opt]# kinit -kt hive.keytab hive/quickstart.cloudera@CLOUDERA
[root@quickstart opt]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hive/quickstart.cloudera@CLOUDERA
Valid starting Expires Service principal
11/21/19 15:54:52 11/22/19 15:54:52 krbtgt/CLOUDERA@CLOUDERA
renew until 11/26/19 15:54:52
[root@quickstart opt]#
kinit登录以后,可以使用klist查看principal状态
- 进入beeline
[root@quickstart opt]# beeline
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
/usr/bin/hbase: line 16: /usr/lib/hbase/bin/hbase: No such file or directory
/usr/bin/hbase: line 16: exec: /usr/lib/hbase/bin/hbase: cannot execute: No such file or directory
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
Beeline version 1.1.0-cdh5.13.0 by Apache Hive
beeline> !connect jdbc:hive2://quickstart.cloudera:10000/;principal=hive/quickstart.cloudera@CLOUDERA;
scan complete in 2ms
Connecting to jdbc:hive2://quickstart.cloudera:10000/;principal=hive/quickstart.cloudera@CLOUDERA;
Connected to: Apache Hive (version 1.1.0-cdh5.13.0)
Driver: Hive JDBC (version 1.1.0-cdh5.13.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://quickstart.cloudera:10000/> `在这里插入代码片`
Sentry:
- 查看角色并创建管理员角色
0: jdbc:hive2://quickstart.cloudera:10000/> show roles;
INFO : Compiling command(queryId=hive_20191121155858_f335031f-1e0e-44f2-9722-d65046efac60): show roles
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:role, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=hive_20191121155858_f335031f-1e0e-44f2-9722-d65046efac60); Time taken: 0.076 seconds
INFO : Executing command(queryId=hive_20191121155858_f335031f-1e0e-44f2-9722-d65046efac60): show roles
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20191121155858_f335031f-1e0e-44f2-9722-d65046efac60); Time taken: 0.031 seconds
INFO : OK
+------------+--+
| role |
+------------+--+
| test_role |
| kylin |
| admin |
| publics |
+------------+--+
4 rows selected (0.182 seconds)
0: jdbc:hive2://quickstart.cloudera:10000/>
讲道理刚登录进去没有角色,所以可以使用下列命令创建管理员角色:
//创建管理员角色
create role admin_role;
//给管理员角色 赋予所有的权限
GRANT ALL ON SERVER server1 TO ROLE admin_role WITH GRANT OPTION;
//GRANT ALL ON SERVER server1 TO ROLE admin_role WITH GRANT OPTION;
GRANT ALL ON SERVER server1 TO ROLE admin_role WITH GRANT OPTION;
- 创建一个普通角色并给予select数据库test_db的权限,将这个角色赋给demo组
0: jdbc:hive2://quickstart.cloudera:10000/> create role demo_role;
INFO : Compiling command(queryId=hive_20191121160303_c2ee944c-6944-49fc-8748-1273f940dc45): create role demo_role
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20191121160303_c2ee944c-6944-49fc-8748-1273f940dc45); Time taken: 0.087 seconds
INFO : Executing command(queryId=hive_20191121160303_c2ee944c-6944-49fc-8748-1273f940dc45): create role demo_role
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20191121160303_c2ee944c-6944-49fc-8748-1273f940dc45); Time taken: 0.025 seconds
INFO : OK
No rows affected (0.125 seconds)
0: jdbc:hive2://quickstart.cloudera:10000/> grant role demo_role to group demo;
INFO : Compiling command(queryId=hive_20191121160404_f57c8c7d-b95e-4e9d-b62c-3d74ec14e027): grant role demo_role to group demo
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20191121160404_f57c8c7d-b95e-4e9d-b62c-3d74ec14e027); Time taken: 0.086 seconds
INFO : Executing command(queryId=hive_20191121160404_f57c8c7d-b95e-4e9d-b62c-3d74ec14e027): grant role demo_role to group demo
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20191121160404_f57c8c7d-b95e-4e9d-b62c-3d74ec14e027); Time taken: 0.014 seconds
INFO : OK
No rows affected (0.125 seconds)
0: jdbc:hive2://quickstart.cloudera:10000/> show databases;
INFO : Compiling command(queryId=hive_20191121160404_7c42a52c-0391-4918-8141-83a93014902b): show databases
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=hive_20191121160404_7c42a52c-0391-4918-8141-83a93014902b); Time taken: 0.074 seconds
INFO : Executing command(queryId=hive_20191121160404_7c42a52c-0391-4918-8141-83a93014902b): show databases
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20191121160404_7c42a52c-0391-4918-8141-83a93014902b); Time taken: 0.187 seconds
INFO : OK
+----------------+--+
| database_name |
+----------------+--+
| default |
| ky_flat_tbls |
| test_db |
+----------------+--+
3 rows selected (0.306 seconds)
0: jdbc:hive2://quickstart.cloudera:10000/> grant select on database test_db to role demo_role;
INFO : Compiling command(queryId=hive_20191121160505_6ed133f0-3b58-4d3d-8c0f-330615430e9f): grant select on database test_db to role demo_role
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20191121160505_6ed133f0-3b58-4d3d-8c0f-330615430e9f); Time taken: 0.071 seconds
INFO : Executing command(queryId=hive_20191121160505_6ed133f0-3b58-4d3d-8c0f-330615430e9f): grant select on database test_db to role demo_role
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20191121160505_6ed133f0-3b58-4d3d-8c0f-330615430e9f); Time taken: 0.034 seconds
INFO : OK
No rows affected (0.116 seconds)
0: jdbc:hive2://quickstart.cloudera:10000/> !q
Closing: 0: jdbc:hive2://quickstart.cloudera:10000/;principal=hive/quickstart.cloudera@CLOUDERA;
- 在linux创建这个用户
[root@quickstart opt]# id demo
id: demo: No such user
[root@quickstart opt]# useradd demo
[root@quickstart opt]# id demo
uid=504(demo) gid=507(demo) groups=507(demo)
这里可以看到demo所在的group就是demo,和在角色赋权group一致
- 在kerberos创建principal并导出keytab
[root@quickstart opt]# kadmin.local
Authenticating as principal hive/admin@CLOUDERA with password.
kadmin.local: list_principals
HTTP/quickstart.cloudera@CLOUDERA
K/M@CLOUDERA
cloudera-scm/admin@CLOUDERA
hdfs/quickstart.cloudera@CLOUDERA
hive/quickstart.cloudera@CLOUDERA
hue/quickstart.cloudera@CLOUDERA
kadmin/admin@CLOUDERA
kadmin/changepw@CLOUDERA
kadmin/quickstart.cloudera@CLOUDERA
krbtgt/CLOUDERA@CLOUDERA
kylin/quickstart.cloudera@CLOUDERA
mapred/quickstart.cloudera@CLOUDERA
sentry/quickstart.cloudera@CLOUDERA
test/quickstart.cloudera@CLOUDERA
yarn/quickstart.cloudera@CLOUDERA
zookeeper/quickstart.cloudera@CLOUDERA
kadmin.local: add_principal demo/quickstart.cloudera@CLOUDERA
WARNING: no policy specified for demo/quickstart.cloudera@CLOUDERA; defaulting to no policy
Enter password for principal "demo/quickstart.cloudera@CLOUDERA":
Re-enter password for principal "demo/quickstart.cloudera@CLOUDERA":
Principal "demo/quickstart.cloudera@CLOUDERA" created.
kadmin.local: xst -norandkey -k demo/quickstart.cloudera@CLOUDERA
Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] [principal | -glob princ-exp] [...]
kadmin.local: xst -norandkey -k /opt/demo.keytab demo/quickstart.cloudera@CLOUDERA
Entry for principal demo/quickstart.cloudera@CLOUDERA with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/opt/demo.keytab.
Entry for principal demo/quickstart.cloudera@CLOUDERA with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/opt/demo.keytab.
Entry for principal demo/quickstart.cloudera@CLOUDERA with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/opt/demo.keytab.
Entry for principal demo/quickstart.cloudera@CLOUDERA with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:/opt/demo.keytab.
Entry for principal demo/quickstart.cloudera@CLOUDERA with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:/opt/demo.keytab.
kadmin.local: quit
- 登录demo的principal
[root@quickstart opt]# kinit -kt demo.keytab demo/quickstart.cloudera@CLOUDERA
[root@quickstart opt]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: demo/quickstart.cloudera@CLOUDERA
Valid starting Expires Service principal
11/21/19 16:19:13 11/22/19 16:19:13 krbtgt/CLOUDERA@CLOUDERA
renew until 11/28/19 16:19:13
[root@quickstart opt]#
- 在beeline中验证这个角色所拥有的的权限是否与我们授权一致
[root@quickstart opt]# beeline
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
/usr/bin/hbase: line 16: /usr/lib/hbase/bin/hbase: No such file or directory
/usr/bin/hbase: line 16: exec: /usr/lib/hbase/bin/hbase: cannot execute: No such file or directory
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
Beeline version 1.1.0-cdh5.13.0 by Apache Hive
beeline> !connect jdbc:hive2://quickstart.cloudera:10000;principal=hive/quickstart.cloudera@CLOUDERA;
scan complete in 2ms
Connecting to jdbc:hive2://quickstart.cloudera:10000;principal=hive/quickstart.cloudera@CLOUDERA;
Error: Bad URL format. Hostname not found in authority part of the url: quickstart.cloudera:10000;principal=hive. Are you missing a '/' after the hostname ? (state=,code=0)
beeline> !connect jdbc:hive2://quickstart.cloudera:10000/;principal=hive/quickstart.cloudera@CLOUDERA;
Connecting to jdbc:hive2://quickstart.cloudera:10000/;principal=hive/quickstart.cloudera@CLOUDERA;
Connected to: Apache Hive (version 1.1.0-cdh5.13.0)
Driver: Hive JDBC (version 1.1.0-cdh5.13.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://quickstart.cloudera:10000/> show databases;
INFO : Compiling command(queryId=hive_20191121162626_edc947f2-8331-46ec-ad03-6b5e1f7c09f6): show databases
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=hive_20191121162626_edc947f2-8331-46ec-ad03-6b5e1f7c09f6); Time taken: 0.076 seconds
INFO : Executing command(queryId=hive_20191121162626_edc947f2-8331-46ec-ad03-6b5e1f7c09f6): show databases
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20191121162626_edc947f2-8331-46ec-ad03-6b5e1f7c09f6); Time taken: 0.182 seconds
INFO : OK
+----------------+--+
| database_name |
+----------------+--+
| default |
| test_db |
+----------------+--+
2 rows selected (0.335 seconds)
0: jdbc:hive2://quickstart.cloudera:10000/> use test_db;
INFO : Compiling command(queryId=hive_20191121162626_c2b607d8-4627-4014-89ed-74b1c8299ba0): use test_db
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20191121162626_c2b607d8-4627-4014-89ed-74b1c8299ba0); Time taken: 0.098 seconds
INFO : Executing command(queryId=hive_20191121162626_c2b607d8-4627-4014-89ed-74b1c8299ba0): use test_db
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20191121162626_c2b607d8-4627-4014-89ed-74b1c8299ba0); Time taken: 0.006 seconds
INFO : OK
No rows affected (0.122 seconds)
0: jdbc:hive2://quickstart.cloudera:10000/> show tables;
INFO : Compiling command(queryId=hive_20191121162626_11275b9d-79d0-4d53-9f2e-923c17749b6d): show tables
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:tab_name, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=hive_20191121162626_11275b9d-79d0-4d53-9f2e-923c17749b6d); Time taken: 0.075 seconds
INFO : Executing command(queryId=hive_20191121162626_11275b9d-79d0-4d53-9f2e-923c17749b6d): show tables
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20191121162626_11275b9d-79d0-4d53-9f2e-923c17749b6d); Time taken: 0.097 seconds
INFO : OK
+-------------+--+
| tab_name |
+-------------+--+
| test_table |
+-------------+--+
1 row selected (0.19 seconds)
0: jdbc:hive2://quickstart.cloudera:10000/> select * from test_table;
INFO : Compiling command(queryId=hive_20191121162727_fd50c0f5-8a42-4e7b-94d6-f520ca880e68): select * from test_table
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:test_table.id, type:int, comment:null), FieldSchema(name:test_table.age, type:int, comment:null), FieldSchema(name:test_table.name, type:string, comment:null)], properties:null)
INFO : Completed compiling command(queryId=hive_20191121162727_fd50c0f5-8a42-4e7b-94d6-f520ca880e68); Time taken: 0.152 seconds
INFO : Executing command(queryId=hive_20191121162727_fd50c0f5-8a42-4e7b-94d6-f520ca880e68): select * from test_table
INFO : Completed executing command(queryId=hive_20191121162727_fd50c0f5-8a42-4e7b-94d6-f520ca880e68); Time taken: 0.001 seconds
INFO : OK
+----------------+-----------------+------------------+--+
| test_table.id | test_table.age | test_table.name |
+----------------+-----------------+------------------+--+
+----------------+-----------------+------------------+--+
No rows selected (0.185 seconds)
0: jdbc:hive2://quickstart.cloudera:10000/> insert into test_table (id,age,name) values(1,2,'ee');
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User demo does not have privileges for QUERY
The required privileges: Server=server1->Db=test_db->Table=test_table->action=insert; (state=42000,code=40000)
0: jdbc:hive2://quickstart.cloudera:10000/>
可以看到show databases的时候只有default和test_db两个数据库可以被查看到,对于test_db下的表,select执行没有问题(因为表内无数据,所以查询为空),而insert的时候会报错:SemanticException No valid privileges,没有权限。
OVER