First, install the hive plug
1 , extract the installation
# tar zxvf ranger-2.0.0-SNAPSHOT-hive-plugin.tar.gz -C /data1/hadoop/
2 , modify install.properties
POLICY_MGR_URL=http://192.168.4.50:6080
REPOSITORY_NAME=hivedev
COMPONENT_INSTALL_DIR_NAME = / data1 / hadoop / hive #hive installation directory
XAAUDIT.SOLR.ENABLE=true
XAAUDIT.SOLR.URL=http://192.168.4.50:6083/solr/ranger_audits
CUSTOM_USER=hduser
CUSTOM_GROUP=hduser
3 , start the hive plug
# sudo ./enable-hive-plugin.sh
Start hive after the plug, the default generation hiveserver2-site.xml file, add the following information in the file already exists:
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.manager</name>
<value>org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory</value>
</property>
<property>
<name>hive.security.authenticator.manager</name>
<value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
</property>
<property>
<name>hive.conf.restricted.list</name>
<value>hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager</value>
</property>
4 , front-end interface to configure policy
Click the plus sign to add services
If the test connection the ok , the configuration was successful.
Note: when I configuration, where the connection test fails, the cluster hiveserver2 service starts, the port is also normal listening, using the internal cluster beeline to connect to the cluster mode of operation, suggest the following errors:
Caused by: java.lang.NoSuchFieldError: REPLLOAD
The last finding is due to the hive version of the ranger hive inside the package due to inconsistent versions, I use the hive version is hive2.x , and ranger2.x for the hive version 3.x , so use the time to pay attention to the version of problem.
5, configuration policies
When the service is created, Ranger default created a number of Policy , as follows:
If you want to add a policy, you can add the top right corner add
6, test
Note: Ranger permissions correspond hive client is no effect, and if you want to hive client to do the certification authority, you can use the hive -based sql safety certification, Ranger just hiveserver2 way access control.
(1) First, using beeline -u jdbc: hive2: // localhost : 10000 -n hduser connected to the hive
- Create a database (shanghai) , article statements can be executed properly.
- In shanghai create a library table inside (the Test) , the failure will be created, as follows:
0: jdbc:hive2://192.168.0.230:10000> create table test(a string);
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [hduser] does not have [CREATE] privilege on [shanghai/test] (state=42000,code=40000)
Tip no authority
(2) add a policy, in FIG policy ID is 10 is modified as follows this policy which:
Above hduser newly added. Save've added, lattice a little while, in another beeline test is performed to create a table mode, to see the success, of course, here to give all the permissions the user, so the user can also insert other operations.
(3) testing of other users, such as the current operating system on top of a yjt user, I want the user to test have authority to query table, first at beeline to test whether there is change user mode select permissions, as follows:
[hduser @ yjt ~] $ beeline -u jdbc: hive2: //192.168.0.230: 10000 -n yjt # specify the login user yjt
0: jdbc:hive2://192.168.0.230:10000> select * from shanghai.test;
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [yjt] does not have [SELECT] privilege on [shanghai/test/*] (state=42000,code=40000)
Can be found, YJT the user to shanghai in the database test table is not select permissions, add the permission:
Or in the above-mentioned strategies 10 which added, as follows:
After the above storage, as follows:
Under the policy after you have added, need to wait for policy development, access control to take effect.
Note: After you finish modifying the policy, without restarting the Beeline .
Description policy configuration is successful, then the above configuration of the yjt the user select permissions, whether the user really only select power? Continue to test whether the user change really only select permissions, so here use the user insert a data into the test table, as follows:
The amount, which has not started the certification authority being given, the above error can be seen corresponding to the user hdfs directory or file does not have write permission, you can also see from here, you can also use hdfs authority certification restrictions hive users. Modifying the above directory or file permissions 777 ( mainly to test whether the user is hive ranger controlled, here set 777 , to the exclusion of other interference. )
[hduser@yjt conf]$ hadoop fs -setfacl -m user:yjt:rwx hdfs://yjt:9000/hive/warehouse/shanghai.db/test/
Above add a ACL . Allow yjt all operations
0: jdbc:hive2://192.168.0.230:10000> insert into table test values("test insert");
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [yjt] does not have [UPDATE] privilege on [shanghai/test] (state=42000,code=40000)
Here the user does not find UPDATE privileges, the configuration was successful ( in ranger there, in fact, no insert permission, only update rights ) , then, in the policy to add inside update permissions, see if you can successfully insert data.
Borrowing:
https://www.jianshu.com/p/d9941b8687b7