[root@fan102 ~]# groupadd reader
[root@fan102 ~]# useradd -g reader reader
[root@fan102 ~]# passwd reader
[root@fan102 ~]# groupadd writer
[root@fan102 ~]# useradd -g writer writer
[root@fan102 ~]# passwd writer
2. Use the Sentry administrator user hive to connect to HiveServer2 through the beeline client
[root@fan102 ~]# kinit -kt /var/keytab/hive.keytab hive/[email protected]
[root@fan102 ~]# beeline -u "jdbc:hive2://fan102:10000/;principal=hive/[email protected]"
2.1.1 创建Role(reader_role,writer_role)
> CREATE ROLE reader_role;
> CREATE ROLE writer_role;
2.1.2 Destroy Role (writer_role)
> DROP ROLE writer_role;
2.2.1 Grant permissions to the role
> GRANT select ON DATABASE dd TO ROLE reader_role;
> GRANT insert ON DATABASE dd TO ROLE writer_role;
2.2.2 If the authority is to be accurate to the table, then you can use the following method
> GRANT insert ON TABLE dd.teacher TO ROLE writer_role;
2.2.3 Revocation of authority (combined with GRANT can realize authority modification operation)
> REVOKE insert ON DATABASE dd FROM ROLE writer_role;
> REVOKE insert ON TABLE dd.teacher FROM ROLE writer_role;
2.3.1 Grant role to user group
> GRANT ROLE reader_role TO GROUP reader;
> GRANT ROLE writer_role TO GROUP writer;
2.3.2 Revoke the role granted to the user group
> REVOKE ROLE writer_role FROM GROUP writer;
3. View permissions granted
> SHOW ROLES;
3.2 View the role (administrator) of a specified user group
> SHOW ROLE GRANT GROUP reader;
3.3 View the role of the currently authenticated user
> SHOW CURRENT ROLES;
3.4 View the specific permissions of the specified ROLE (administrator)
> SHOW GRANT ROLE reader_role;
3.5 View all authorized groups of a role
Currently, there is no statement like (SHOW GRANT ROLE reader_role;) to obtain all authorized user groups under a role, but it can be obtained through the Hue management interface or directly using SQL to query the Sentry database.
SELECT g.GROUP_NAME
FROM SENTRY_GROUP g
JOIN SENTRY_ROLE_GROUP_MAP rg
on rg.GROUP_ID = g.GROUP_ID
JOIN SENTRY_ROLE r
ON r.ROLE_ID = rg.ROLE_ID
WHERE r.ROLE_NAME='reader_role'
4. Permission test
4.1 Create Kerberos principals for readers and writers
[root@fan102 ~]# kadmin.local -q "addprinc reader/reader"
Authenticating as principal root/[email protected] with password.
WARNING: no policy specified for reader/[email protected]; defaulting to no policy
Enter password for principal "reader/[email protected]": (输入密码)
Re-enter password for principal "reader/[email protected]": (输入密码)
Principal "writer/[email protected]" created.
[root@fan102 ~]# kadmin.local -q "addprinc writer/writer"
Authenticating as principal root/[email protected] with password.
WARNING: no policy specified for writer/[email protected]; defaulting to no policy
Enter password for principal "reader/[email protected]": (输入密码)
Re-enter password for principal "writer/[email protected]": (输入密码)
Principal "writer/[email protected]" created.
4.2 Generate the keytab file to the specified directory /var/keytab/
[root@fan102 ~]# kadmin.local -q "xst -k /var/keytab/writer.keytab writer/[email protected]"
[root@fan102 ~]# kadmin.local -q "xst -k /var/keytab/reader.keytab reader/[email protected]"
4.3 Use reader to log in to HiveServer2 and query any table in the dd library
[root@fan102 ~]# kinit -kt /var/keytab/reader.keytab reader/[email protected]
[root@fan102 ~]# beeline -u "jdbc:hive2://fan102:10000/;principal=hive/[email protected]"
4.4 Use writer to log in to HiveServer2 and query any table in the dd library
[root@fan102 ~]# kinit -kt /var/keytab/writer.keytab writer/[email protected]
[root@fan102 ~]# beeline -u "jdbc:hive2://fan102:10000/;principal=hive/[email protected]"
4.5 Query results
reader有对于dd库中表的查询权限,而writer没有。说明授权生效。
5. The example of hdfs user (not to be created) is to create a cat1 user file and belong to the cat1 user of the cats user in the domain
hadoop fs -mkdir /user/cat1
hadoop fs -chown cats:cat1 /user/cat1
6. Supplement
user | group | condition | |
Linux | √ | √ | Can be created separately |
kerberos | √ | √ | Created at the same time |
hdfs | √ | √ | Created at the same time |
hive | No need to create users, distinguished according to kerberos entities |
+++++++++++++++++++++++++++++++++++++++++
+ If you have any questions, you can +Q: 1602701980 Discuss together +
+++++++++++++++++++++++++++++++++++++++++