CDH配置Sentry以及权限测试

在CDH中添加完Sentry服务后，需要更改一下hive配置才能通过beeline访问。
第一，修改Hive下的HiveServer2配置，如下所示：

将HiveServer2 Load Balancer中的admin去掉和HiveServer2 启用模拟的√去掉。
这里的admin是默认的，跟前面配置有关，之前没有去掉直接导致beeline连接不上。更改后如下：

第二，将Hive服务的Sentry勾上，默认是none

在YARN的NodeManger在查看“允许的系统用户”项，看到下图所示就不用更改了（默认）

重启Hive过时服务

紧接着，开启HDFS角色的acl（这里主要控制用户访问的HDFS目录，因为在生产环境中会指定一些目录是该用户可以访问的，而其他一些目录该用户访问不了）

重启过期HDFS配置：

然后到Sentry服务下的“管理员组”查看有没有hive/impala/hbase/hue，没有添加上（默认是已经存在）

紧接着，生成hive.keytab文件
这里，集群有wlint01、wlnamenode01、wldatanode001~wldatanode018一个20个节点，需要生成的hive的keytab文件最后汇集到hive.keytab一个文件中。
首先在Kerberos数据库中创建principal：

[wlbd@wlint01 ~]$ sudo kadmin.local -q "addprinc -randkey hive/wlint01@HXDI.COM"
[wlbd@wlint01 ~]$ sudo kadmin.local -q "addprinc -randkey hive/wlnamenode01@HXDI.COM"
[wlbd@wlint01 ~]$ for i in {1..9}; do sudo kadmin.local -q "addprinc -randkey hive/wldatanode00$i@HXDI.COM"; done
[wlbd@wlint01 ~]$ for i in {0..8}; do sudo kadmin.local -q "addprinc -randkey hive/wldatanode01$i@HXDI.COM"; done

这里用sudo是因为在生产环境下只能用wlbd这个用户，而且要用到sudo这个命令才能启用kadmin.local这个命令。如果你是root用户，不需要加sudo。

然后，在当前目录下生成hive.keytab文件。

[wlbd@wlint01 ~]$ sudo kadmin.local -q "xst -norandkey -k hive.keytab hive/wlint01@HXDI.COM"
[wlbd@wlint01 ~]$ sudo kadmin.local -q "xst -norandkey -k hive.keytab hive/wlnamenode01@HXDI.COM"
[wlbd@wlint01 ~]$ for i in {1..9}; do sudo kadmin.local -q "xst -norandkey -k hive.keytab hive/wldatanode00$i@HXDI.COM"; done
[wlbd@wlint01 ~]$ for i in {0..8}; do sudo kadmin.local -q "xst -norandkey -k hive.keytab hive/wldatanode01$i@HXDI.COM"; done

修改hive-site.xml文件

[root@wlint01 ~]# vi /etc/hive/conf/hive-site.xml

注意，这里是root权限
在hive-site.xml后面加入下面几句：

 <property>
    <name>hive.server2.authentication</name>
    <value>kerberos</value>
  </property>
  <property>
    <name>hive.metastore.kerberos.principal</name>
    <value>hive/[email protected]</value>
  </property>
  <property>
    <name>hive.server2.authentication.kerberos.principal</name>
    <value>hive/[email protected]</value>
  </property>
  <property>
  <name>hive.metastore.kerberos.keytab.file</name>
  <value>/etc/hive/conf/hive.keytab</value>
  </property>

最后一句就是你接下来放置hive.keytab的路径。这里需要注意的是当重启hive时，hive的配置文件可能会更改为之前默认情况下，而且/etc/hive/conf/下的hive.keytab也会被删除，需要重启拷贝和重新修改hive-site.xml。所以这里我们选择先修改配置文件再拷贝hive.keytab文件。
将修改后的hive-site.xml文件scp到各个节点

[root@wlint01 wlbd]# for i in {10..28}; do  scp /etc/hive/conf/hive-site.xml 192.168.32.$i:/etc/hive/conf; done

这里的ip地址对应上面的hostname

同样将hive.keytab文件拷贝到每一台主机的/etc/hive/conf目录下。

[root@wlint01 wlbd]# for i in {9..28}; do  scp  hive.keytab 192.168.32.$i:/etc/hive/conf; done

修改每个节点keytab权限：

[root@wlint01 wlbd]#for i in {9..28}; do ssh 192.168.32.$i "cd /etc/hive/conf; chmod 400 hive.keytab; chown hive:hadoop hive.keytab"; done

2. 权限测试

创建两个系统用户user1和user2

[root@wlint01 wlbd]# useradd user1
[root@wlint01 wlbd]# passwd user1
[root@wlint01 wlbd]# useradd user2
[root@wlint01 wlbd]# passwd user2

创建Kerberos用户

[wlbd@wlint01 ~]$ sudo kadmin.local -q "addprinc user1"
[wlbd@wlint01 ~]$ sudo kadmin.local -q "addprinc user2"

创建数据库和表。这里需要kinit之前生成的hive.keytab，然后进入Hive CLI创建数据库，再通过beeline创建role。
当前目录下有events.csv文件

[wlbd@wlint01 ~]$ cat events.csv 
10.1.2.3,US,android,createNote
10.200.88.99,FR,windows,updateNote
10.1.2.3,US,android,updateNote
10.200.88.77,FR,ios,createNote
10.1.4.5,US,windows,updateTag

[wlbd@wlint01 ~]$ kinit -kt hive.keytab hive/wlint01

创建两个数据库

create database db1;
create database db2;

在数据库中创建表
在db1中创建table1，在db2中创建table1和table2

create table db1.table1 (
ip STRING, country STRING, client STRING, action STRING
) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',';
create table db2.table1 (
ip STRING, country STRING, client STRING, action STRING
) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',';
create table db2.table2 (
ip STRING, country STRING, client STRING, action STRING
) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',';


load data local inpath '/home/wlbd/events.csv' overwrite into table db1.table1;
load data local inpath '/home/wlbd/events.csv' overwrite into table db2.table1;
load data local inpath '/home/wlbd/events.csv' overwrite into table db2.table2;

赋予用户权限

这里是通过beeline连接进行操作的
给user1赋予db1的所有权限

 beeline -u "jdbc:hive2://wlint01:10000/;principal=hive/wlint01@HXDI.COM"

create role user1_role;
GRANT ALL ON DATABASE db1 TO ROLE user1_role;
GRANT ROLE user1_role TO GROUP user1;

给user2赋予db2的所有权限

create role user2_role;
GRANT ALL ON DATABASE db2 TO ROLE user2_role;
GRANT ROLE user2_role TO GROUP user2;

测试用户权限
user1用户只具有db1和default的权限

[wlbd@wlint01 ~]$ kinit user1
Password for user1@HXDI.COM: 
[wlbd@wlint01 ~]$ beeline -u "jdbc:hive2://wlint01:10000/;principal=hive/[email protected]"
scan complete in 2ms
Connecting to jdbc:hive2://wlint01:10000/;principal=hive/[email protected]
Connected to: Apache Hive (version 1.1.0-cdh5.14.2)
Driver: Hive JDBC (version 1.1.0-cdh5.14.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 1.1.0-cdh5.14.2 by Apache Hive
0: jdbc:hive2://wlint01:10000/> show databases;
INFO  : Compiling command(queryId=hive_20180618150404_d26fd5a2-8c54-44d5-9df8-38f362535491): show databases
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20180618150404_d26fd5a2-8c54-44d5-9df8-38f362535491); Time taken: 0.38 seconds
INFO  : Executing command(queryId=hive_20180618150404_d26fd5a2-8c54-44d5-9df8-38f362535491): show databases
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20180618150404_d26fd5a2-8c54-44d5-9df8-38f362535491); Time taken: 0.281 seconds
INFO  : OK
+----------------+--+
| database_name  |
+----------------+--+
| db1            |
| default        |
+----------------+--+
2 rows selected (0.884 seconds)
0: jdbc:hive2://wlint01:10000/> 

user2用户只具有db2和default的权限

[wlbd@wlint01 ~]$ kinit user2
Password for user2@HXDI.COM: 
[wlbd@wlint01 ~]$ beeline -u "jdbc:hive2://wlint01:10000/;principal=hive/[email protected]"
scan complete in 2ms
Connecting to jdbc:hive2://wlint01:10000/;principal=hive/[email protected]
Connected to: Apache Hive (version 1.1.0-cdh5.14.2)
Driver: Hive JDBC (version 1.1.0-cdh5.14.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 1.1.0-cdh5.14.2 by Apache Hive
0: jdbc:hive2://wlint01:10000/> show databases;
INFO  : Compiling command(queryId=hive_20180618151010_397e7de5-2bd7-4bd7-90d7-bbfabcab48e8): show databases
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20180618151010_397e7de5-2bd7-4bd7-90d7-bbfabcab48e8); Time taken: 0.104 seconds
INFO  : Executing command(queryId=hive_20180618151010_397e7de5-2bd7-4bd7-90d7-bbfabcab48e8): show databases
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20180618151010_397e7de5-2bd7-4bd7-90d7-bbfabcab48e8); Time taken: 0.176 seconds
INFO  : OK
+----------------+--+
| database_name  |
+----------------+--+
| db2            |
| default        |
+----------------+--+
2 rows selected (0.418 seconds)

禁用HIve CLI

表示hive、hue、hdfs和sentry都能访问CLI，别的用户或组成员访问不了CLI。这样创建一个用户user1，由于user1不在这个列表里面，user1自然访问不了Hive CLI。

HDFS测试
配置HDFS ACL与Sentry同步后，HDFS权限与Sentry监控的目录（/user/hive/warehouse）的权限同步

[root@hxmaster ~]# kinit -kt hive.keytab hive/hxmaster
[root@hxmaster ~]# hadoop fs -getfacl -R /user/hive/warehouse/
# file: /user/hive/warehouse
# owner: hive
# group: hive
user::rwx
group::---
user:hive:rwx
group:hive:rwx
mask::rwx
other::--x

# file: /user/hive/warehouse/db1.db
# owner: hive
# group: hive
user::rwx
group::---
user:hive:rwx
group:user1:rwx
group:hive:rwx
mask::rwx
other::--x

# file: /user/hive/warehouse/db1.db/table1
# owner: hive
# group: hive
user::rwx
group::---
user:hive:rwx
group:user1:rwx
group:hive:rwx
mask::rwx
other::--x

# file: /user/hive/warehouse/db1.db/table1/events.csv
# owner: hive
# group: hive
user::rwx
group::---
user:hive:rwx
group:user1:rwx
group:hive:rwx
mask::rwx
other::--x

# file: /user/hive/warehouse/db2.db
# owner: hive
# group: hive
user::rwx
group::---
user:hive:rwx
group:user2:rwx
group:hive:rwx
mask::rwx
other::--x

# file: /user/hive/warehouse/db2.db/table1
# owner: hive
# group: hive
user::rwx
group::---
user:hive:rwx
group:user2:rwx
group:hive:rwx
mask::rwx
other::--x

# file: /user/hive/warehouse/db2.db/table1/events.csv
# owner: hive
# group: hive
user::rwx
group::---
user:hive:rwx
group:user2:rwx
group:hive:rwx
mask::rwx
other::--x

# file: /user/hive/warehouse/db2.db/table2
# owner: hive
# group: hive
user::rwx
group::---
user:hive:rwx
group:user2:rwx
group:hive:rwx
mask::rwx
other::--x

# file: /user/hive/warehouse/db2.db/table2/events.csv
# owner: hive
# group: hive
user::rwx
group::---
user:hive:rwx
group:user2:rwx
group:hive:rwx
mask::rwx
other::--x

# file: /user/hive/warehouse/test_table
# owner: hive
# group: hive
user::rwx
group::---
user:hive:rwx
group:hive:rwx
mask::rwx
other::--x

# file: /user/hive/warehouse/test_table/events.csv
# owner: hive
# group: hive
user::rwx
group::---
user:hive:rwx
group:hive:rwx
mask::rwx
other::--x

切换到user1用户，查看HDFS文件

[root@hxmaster ~]# kinit user1
Password for user1@ANDREW.COM: 
You have mail in /var/spool/mail/root
[root@hxmaster ~]# hadoop fs -ls /user/hive/warehouse/db1.db
Found 1 items
drwxrwx--x+  - hive hive          0 2018-06-10 20:08 /user/hive/warehouse/db1.db/table1
[root@hxmaster ~]# hadoop fs -cat /user/hive/warehouse/db1.db/table1/events.csv
10.1.2.3,US,android,createNote
10.200.88.99,FR,windows,updateNote
10.1.2.3,US,android,updateNote
10.200.88.77,FR,ios,createNote
10.1.4.5,US,windows,updateTag
You have mail in /var/spool/mail/root
[root@hxmaster ~]# hadoop fs -ls /user/hive/warehouse/db2.db
ls: Permission denied: user=user1, access=READ_EXECUTE, inode="/user/hive/warehouse/db2.db":hive:hive:drwxrwx--x
[root@hxmaster ~]# hadoop fs -cat /user/hive/warehouse/db2.db/table1/events.csv
cat: Permission denied: user=user1, access=READ, inode="/user/hive/warehouse/db2.db/table1/events.csv":hive:hive:-rwxrwx--x

切换到user2用户，查看HDFS文件

[root@hxmaster ~]# kinit user2
Password for user2@ANDREW.COM: 
[root@hxmaster ~]# hadoop fs -ls /user/hive/warehouse/db1.db
ls: Permission denied: user=user2, access=READ_EXECUTE, inode="/user/hive/warehouse/db1.db":hive:hive:drwxrwx--x
[root@hxmaster ~]# hadoop fs -cat /user/hive/warehouse/db1.db/table1/events.csv
cat: Permission denied: user=user2, access=READ, inode="/user/hive/warehouse/db1.db/table1/events.csv":hive:hive:-rwxrwx--x
[root@hxmaster ~]# hadoop fs -ls /user/hive/warehouse/db2.db
Found 2 items
drwxrwx--x+  - hive hive          0 2018-06-10 20:08 /user/hive/warehouse/db2.db/table1
drwxrwx--x+  - hive hive          0 2018-06-10 20:08 /user/hive/warehouse/db2.db/table2
[root@hxmaster ~]# hadoop fs -cat /user/hive/warehouse/db2.db/table1/events.csv
10.1.2.3,US,android,createNote
10.200.88.99,FR,windows,updateNote
10.1.2.3,US,android,updateNote
10.200.88.77,FR,ios,createNote
10.1.4.5,US,windows,updateTag
[root@hxmaster ~]# hadoop fs -cat /user/hive/warehouse/db2.db/table2/events.csv
10.1.2.3,US,android,createNote
10.200.88.99,FR,windows,updateNote
10.1.2.3,US,android,updateNote
10.200.88.77,FR,ios,createNote
10.1.4.5,US,windows,updateTag