1.系统创建两个用户
[root@namenode01 ~]#adduser test
[root@namenode01 ~]#kadmin.local -q "addprinc test"
2.用acl设置Hive/warehourse里面数据库中的表做权限共享
[root@namenode01 ~]# hdfs dfs -getfacl /user/hive/warehouse/sensitive.db
# file: /user/hive/warehouse/sensitive.db
# owner: hive
# group: hive
# flags: --T
user::rwx
group::rwx
other::---
[root@namenode01 ~]# hdfs dfs -setfacl --set user::r--,user:test:r--,group::r--,other::--- /user/hive/warehouse/sensitive.db
[root@namenode01 ~]# hdfs dfs -getfacl -R /user/hive/warehouse/sensitive.db
# file: /user/hive/warehouse/sensitive.db
# owner: hive
# group: hive
# flags: --T
user::r--
user:test:r--
group::r--
mask::r--
other::---
# file: /user/hive/warehouse/sensitive.db/events
# owner: hive
# group: hive
# flags: --T
user::r--
user:test:r--
group::r--
mask::r--
other::---
# file: /user/hive/warehouse/sensitive.db/events/events.csv
# owner: hive
# group: hive
# flags: --T
user::rwx
group::rwx
other::---
[root@namenode01 ~]# kinit test
Password for [email protected]:
[root@namenode01 ~]# hive
hive> show databases;
OK
default
sensitive
Time taken: 1.445 seconds, Fetched: 7 row(s)
hive> use sensitive;
OK
Time taken: 0.044 seconds
hive> show tables;
OK
events
Time taken: 0.022 seconds, Fetched: 1 row(s)
hive> select * from events; 目前没有权限看表里的数据
FAILED: SemanticException Unable to determine if hdfs://nameservice/user/hive/warehouse/sensitive.db/events is encrypted: org.apache.hadoop.security.AccessControlException: Permission denied: user=test, access=EXECUTE, inode="/user/hive/warehouse":hive:hive:drwxrwx--T
at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.checkFsPermission(DefaultAuthorizationProvider.java:281)
at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.check(DefaultAuthorizationProvider.java:262)
at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.checkTraverse(DefaultAuthorizationProvider.java:206)
at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.checkPermission(DefaultAuthorizationProvider.java:158)
at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.getEZForPath(NameNodeRpcServer.java:1631)
at org.apache.hadoop.hdfs.server.namenode.AuthorizationProviderProxyClientProtocol.getEZForPath(AuthorizationProviderProxyClientProtocol.java:927)
at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.getEZForPath(ClientNamenodeProtocolServerSideTranslatorPB.java:1355)
at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:617)
at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1073)
at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2141)
at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2137)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1709)
at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2135)
hive> drop table events;
Authorization failed:No privilege 'Drop' found for outputs { database:sensitive, table:events}. Use SHOW GRANT to get more details.
给test做权限分享
[root@namenode01 ~]# kinit hdfs/admin
Password for hdfs/[email protected]:
[root@namenode01 ~]# hdfs dfs -setfacl -R --set user::rwx,user:test:rwx,group::rwx,other::rwx /user/hive/warehouse
[root@namenode01 ~]# hdfs dfs -getfacl /user/hive/warehouse/sensitive.db
# file: /user/hive/warehouse/sensitive.db
# owner: hive
# group: hive
# flags: --t
user::rwx
user:test:rwx
group::rwx
mask::rwx
other::rwx
对test用户做授权select
[root@namenode01 ~]# su - hive -s /bin/bash
[root@namenode01 ~]# kinit hive
hive> grant select on database sensitive to user test;
OK
Time taken: 0.091 seconds
hive> set system:user.name;
system:user.name=hive
用test用户登录hive,之后查看库里的表
[root@namenode01 ~]# su - test -s /bin/bash ;kinit test
[test@namenode01 ~]$ hive
hive> show databases;
OK
default
filtered
hive_database1
hive_database2
school
sensitive
test
Time taken: 1.764 seconds, Fetched: 7 row(s)
hive> use sensitive;
OK
Time taken: 0.046 seconds
hive> select * from events;
OK
10.200.88.99 FR windows
10.1.2.3 US android
10.200.88.77 FR ios
10.1.4.5 US windows
Time taken: 0.471 seconds, Fetched: 4 row(s)
hive> set system:user.name;
[root@namenode01 ~]#adduser test
[root@namenode01 ~]#kadmin.local -q "addprinc test"
2.用acl设置Hive/warehourse里面数据库中的表做权限共享
[root@namenode01 ~]# hdfs dfs -getfacl /user/hive/warehouse/sensitive.db
# file: /user/hive/warehouse/sensitive.db
# owner: hive
# group: hive
# flags: --T
user::rwx
group::rwx
other::---
[root@namenode01 ~]# hdfs dfs -setfacl --set user::r--,user:test:r--,group::r--,other::--- /user/hive/warehouse/sensitive.db
[root@namenode01 ~]# hdfs dfs -getfacl -R /user/hive/warehouse/sensitive.db
# file: /user/hive/warehouse/sensitive.db
# owner: hive
# group: hive
# flags: --T
user::r--
user:test:r--
group::r--
mask::r--
other::---
# file: /user/hive/warehouse/sensitive.db/events
# owner: hive
# group: hive
# flags: --T
user::r--
user:test:r--
group::r--
mask::r--
other::---
# file: /user/hive/warehouse/sensitive.db/events/events.csv
# owner: hive
# group: hive
# flags: --T
user::rwx
group::rwx
other::---
[root@namenode01 ~]# kinit test
Password for [email protected]:
[root@namenode01 ~]# hive
hive> show databases;
OK
default
sensitive
Time taken: 1.445 seconds, Fetched: 7 row(s)
hive> use sensitive;
OK
Time taken: 0.044 seconds
hive> show tables;
OK
events
Time taken: 0.022 seconds, Fetched: 1 row(s)
hive> select * from events; 目前没有权限看表里的数据
FAILED: SemanticException Unable to determine if hdfs://nameservice/user/hive/warehouse/sensitive.db/events is encrypted: org.apache.hadoop.security.AccessControlException: Permission denied: user=test, access=EXECUTE, inode="/user/hive/warehouse":hive:hive:drwxrwx--T
at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.checkFsPermission(DefaultAuthorizationProvider.java:281)
at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.check(DefaultAuthorizationProvider.java:262)
at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.checkTraverse(DefaultAuthorizationProvider.java:206)
at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.checkPermission(DefaultAuthorizationProvider.java:158)
at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.getEZForPath(NameNodeRpcServer.java:1631)
at org.apache.hadoop.hdfs.server.namenode.AuthorizationProviderProxyClientProtocol.getEZForPath(AuthorizationProviderProxyClientProtocol.java:927)
at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.getEZForPath(ClientNamenodeProtocolServerSideTranslatorPB.java:1355)
at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:617)
at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1073)
at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2141)
at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2137)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1709)
at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2135)
hive> drop table events;
Authorization failed:No privilege 'Drop' found for outputs { database:sensitive, table:events}. Use SHOW GRANT to get more details.
给test做权限分享
[root@namenode01 ~]# kinit hdfs/admin
Password for hdfs/[email protected]:
[root@namenode01 ~]# hdfs dfs -setfacl -R --set user::rwx,user:test:rwx,group::rwx,other::rwx /user/hive/warehouse
[root@namenode01 ~]# hdfs dfs -getfacl /user/hive/warehouse/sensitive.db
# file: /user/hive/warehouse/sensitive.db
# owner: hive
# group: hive
# flags: --t
user::rwx
user:test:rwx
group::rwx
mask::rwx
other::rwx
对test用户做授权select
[root@namenode01 ~]# su - hive -s /bin/bash
[root@namenode01 ~]# kinit hive
hive> grant select on database sensitive to user test;
OK
Time taken: 0.091 seconds
hive> set system:user.name;
system:user.name=hive
用test用户登录hive,之后查看库里的表
[root@namenode01 ~]# su - test -s /bin/bash ;kinit test
[test@namenode01 ~]$ hive
hive> show databases;
OK
default
filtered
hive_database1
hive_database2
school
sensitive
test
Time taken: 1.764 seconds, Fetched: 7 row(s)
hive> use sensitive;
OK
Time taken: 0.046 seconds
hive> select * from events;
OK
10.200.88.99 FR windows
10.1.2.3 US android
10.200.88.77 FR ios
10.1.4.5 US windows
Time taken: 0.471 seconds, Fetched: 4 row(s)
hive> set system:user.name;