版权声明:本文为博主原创文章,未经博主允许不得转载。博客地址:http://www.fanlegefan.com/ https://blog.csdn.net/woloqun/article/details/83585887
接上一篇hive 集成sentry继续来看下sentry的授权体系
使用hive用户登陆,在这个hive用户是在$HIVE_HOME/conf/sentry-site.xml中配置,
<property>
<name>sentry.metastore.service.users</name>
<value>hive</value>
</property>
,hive是用于授权的账号,可以理解为超级用户
beeline -u 'jdbc:hive2://localhost:10000' -n hive
查看所有roles,当前没有任何role
0: jdbc:hive2://localhost:10000> show roles;
+-------+
| role |
+-------+
+-------+
创建admin role:admin_role,
create role admin_role;
GRANT ALL ON SERVER server1 TO ROLE admin_role;
admin_role拥有server1上的所有权限,server1是再sentry-site.xml中配置
<property>
<name>sentry.hive.server</name>
<value>server1</value>
</property>
简单理解拥有admin_role的用户组,拥有所有权限
将hive用户组设置为管理员用户,并使用hive用户创建数据库test
GRANT ROLE admin_role TO GROUP hive;
create database test;
0: jdbc:hive2://localhost:10000> create database test;
No rows affected (0.172 seconds)
0: jdbc:hive2://localhost:10000> show databases;
+----------------+
| database_name |
+----------------+
| default |
| filtered |
| sensitive |
| test |
| test1 |
+----------------+
5 rows selected (0.334 seconds)
创建测试role,并将xn_role分配给xn用户组
0: jdbc:hive2://localhost:10000> create role xn_role;
No rows affected (0.095 seconds)
0: jdbc:hive2://localhost:10000> GRANT ROLE xn_role TO GROUP xn;
No rows affected (0.118 seconds)
xn这个拥有xn_role,但是xn_role没有任何权限
使用xn用户登陆
beeline -u 'jdbc:hive2://localhost:10000' -n xn
show databases没有任何库列表输出
0: jdbc:hive2://localhost:10000> show databases;
+----------------+
| database_name |
+----------------+
| default |
+----------------+
1 row selected (0.71 seconds)
并且也没有建库权限
0: jdbc:hive2://localhost:10000> create database xn;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User xn does not have privileges for CREATEDATABASE
The required privileges: Server=server1->action=create->grantOption=false; (state=42000,code=40000)
现在用hive用户账户创建数据库xn,并将xn_role的权限附给xn;
0: jdbc:hive2://localhost:10000> create database xn
. . . . . . . . . . . . . . . .> ;
No rows affected (0.196 seconds)
0: jdbc:hive2://localhost:10000> GRANT ALL ON DATABASE xn TO ROLE xn_role;
No rows affected (0.1 seconds)
0: jdbc:hive2://localhost:10000> GRANT ROLE xn_role TO GROUP xn;
No rows affected (0.135 seconds)
使用xn用户登陆
beeline -u 'jdbc:hive2://localhost:10000' -n xn
0: jdbc:hive2://localhost:10000> show databases;
+----------------+
| database_name |
+----------------+
| default |
| xn |
+----------------+
2 rows selected (0.651 seconds)
0: jdbc:hive2://localhost:10000>
查看当前用户roles
0: jdbc:hive2://localhost:10000> SHOW CURRENT ROLES;
+----------+
| role |
+----------+
| xn_role |
+----------+
1 row selected (0.119 seconds)
查看xn_role拥有的权限
0: jdbc:hive2://localhost:10000> SHOW GRANT ROLE xn_role;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| xn | | | | xn_role | ROLE | * | false | 1540965346000 | -- |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
1 row selected (0.112 seconds)
给xn_role添加表sensitive.events查询权限
GRANT SELECT ON table sensitive.events TO ROLE xn_role;
0: jdbc:hive2://localhost:10000> SHOW GRANT ROLE xn_role;
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| xn | | | | xn_role | ROLE | * | false | 1540965346000 | -- |
| sensitive | events | | | xn_role | ROLE | SELECT | false | 1540971733000 | -- |
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
0: jdbc:hive2://localhost:10000> select * from sensitive.events;
+---------------+-----------------+----------------+----------------+
| events.ip | events.country | events.client | events.action |
+---------------+-----------------+----------------+----------------+
| 10.1.2.3 | US | android | createNote |
| 10.200.88.99 | FR | windows | updateNote |
| 10.1.2.3 | US | android | updateNote |
| 10.200.88.77 | FR | ios | createNote |
| 10.1.4.5 | US | windows | updateTag |
+---------------+-----------------+----------------+----------------+
可以看到xn这个用户已经可以查询表sensitive.events,之前授权的时候只给了select权限,现在来尝试插入一些数据,首先先创建一个表xn.events
0: jdbc:hive2://localhost:10000> create table xn.events as select * from sensitive.events;
WARNING: Hive-on-MR is deprecated in Hive 2 and may not be available in the future versions. Consider using a different execution engine (i.e. spark, tez) or using Hive 1.X releases.
No rows affected (18.355 seconds)
0: jdbc:hive2://localhost:10000>
尝试插入数据
0: jdbc:hive2://localhost:10000> insert into sensitive.events select * from xn.events;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User xn does not have privileges for QUERY
The required privileges: Server=server1->Db=sensitive->Table=events->action=insert->grantOption=false; (state=42000,code=40000)
现在用hive账号给xn_role添加对表sensitive.events的所有权限
0: jdbc:hive2://localhost:10000> GRANT ALL ON table sensitive.events TO ROLE xn_role;
No rows affected (0.083 seconds)
查看xn用户权限
0: jdbc:hive2://localhost:10000> SHOW GRANT ROLE xn_role;
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| xn | | | | xn_role | ROLE | * | false | 1540965346000 | -- |
| sensitive | events | | | xn_role | ROLE | * | false | 1540972283000 | -- |
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
可以看到xn已经又有了对表sensitive.events的所有权限
0: jdbc:hive2://localhost:10000> insert into sensitive.events select * from xn.events;
WARNING: Hive-on-MR is deprecated in Hive 2 and may not be available in the future versions. Consider using a different execution engine (i.e. spark, tez) or using Hive 1.X releases.
No rows affected (17.397 seconds)
0: jdbc:hive2://localhost:10000> select * from sensitive.events;
+---------------+-----------------+----------------+----------------+
| events.ip | events.country | events.client | events.action |
+---------------+-----------------+----------------+----------------+
| 10.1.2.3 | US | android | createNote |
| 10.200.88.99 | FR | windows | updateNote |
| 10.1.2.3 | US | android | updateNote |
| 10.200.88.77 | FR | ios | createNote |
| 10.1.4.5 | US | windows | updateTag |
| 10.1.2.3 | US | android | createNote |
| 10.200.88.99 | FR | windows | updateNote |
| 10.1.2.3 | US | android | updateNote |
| 10.200.88.77 | FR | ios | createNote |
| 10.1.4.5 | US | windows | updateTag |
| 10.1.2.3 | US | android | createNote |
| 10.200.88.99 | FR | windows | updateNote |
| 10.1.2.3 | US | android | updateNote |
| 10.200.88.77 | FR | ios | createNote |
| 10.1.4.5 | US | windows | updateTag |
+---------------+-----------------+----------------+----------------+
15 rows selected (0.412 seconds)
0: jdbc:hive2://localhost:10000>
数据已经插入到表sensitive.events
现在来看下怎样收回权限,首先来收回xn_role对表的所有权限
0: jdbc:hive2://localhost:10000> REVOKE ALL ON Table sensitive.events from role xn_role;
No rows affected (0.125 seconds)
查看xn_role的权限
0: jdbc:hive2://localhost:10000> SHOW GRANT ROLE xn_role;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| xn | | | | xn_role | ROLE | * | false | 1540965346000 | -- |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
0: jdbc:hive2://localhost:10000> select * from sensitive.events;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User xn does not have privileges for QUERY
The required privileges: Server=server1->Db=sensitive->Table=events->action=select->grantOption=false; (state=42000,code=40000)
注意
这里账号xn,test,hive均为linux用户,在指定user使用beeline时,linux系统必须要有对应的用户组,否则会报group not exists的错误,或者授权已经成功,但是权限不生效