sentry
- A, src
- Second, the architecture, the role
- 1. Role
- object: protected objects, such as tables, columns,
- privilege: the privilege corresponding to the object
- role: a set of privilege set
- user: User
- group: a user of the group set
- 2. Architecture
- Three, sentry-CDH mounting configuration
- 1. sentry mounted on CDH
- 2. integration with Hive
- 3. Integration with Impala, enabled directly
- 4.hdfs in
- 4.1 Search HDFS configuration item "Enable Access Control List", Sentry enabled synchronization check.
- 4.2 synchronous path prefix
- 5.hue
- 5.1 Configuration Support Sentry HUE
- Search "Sentry" in HUE configuration item, select the Sentry.
- Configuring sentry of the Administrators group, the Administrators group of users can grant other users. In the hue to other users authorized by the sentry, the user used to have sentry administrator role, so to hue user authorization in the sentry
- `` Restart
- Fourth, the use
- Notice
- 1. visualization by HUE
- 1.1 hue of sentry into the management interface. Use the sentry in the Administrators group of users log in hue, or can not create user
- 1.2 At this hue user does not have access to the hive, just can demonstrate at
- Information:
- {1} can only see the default default library, see also table inside.
- {2} `click roles, found it impossible to edit, click on the right of the question mark into the official documents, found in the original hue you want to edit permissions, the user currently logged in must belong to a group hue service, but also belong to the sentry in a management group, this time hue belong only defalut group, create a group hue in hue, and then assign users hue, appeared in roles editing interface `
- {3} hive_role created, the role of the hive contains all permissions, the group hive_role assigned hue hue.
- 2. Use Authorization statement Hive in operation, similar to the mysql grant
- Five test
A, src
- Only kerberos authentication, authorization, responsible for sentry
- Apache Hive,Hive Metastore / HCatalog,Apache Solr,Impala和HDFS
- sentry access control is achieved by controlling access to files and hive of the user hdfs table. The final document on the operation or hdfs
- The sentry linux and services are integrated together, linux and hue can be directly used as authorized users and clients is a group created in the sentry but linux and hue is a group of users and do not share
Second, the architecture, the role
1. Role
object: protected objects, such as tables, columns,
privilege: the privilege corresponding to the object
role: a set of privilege set
user: User
group: a user of the group set
2. Architecture
Authorization can only be assigned to the role group, you can not operate privilege and user. The following diagram, Tom wanted to give the user permissions granted read the table, only to join Bigdata group, and then grant the role to Bigdata group
sentry nature protection of data, and the data is stored on hdfs, the sentry is essentially the operating hdfs 9 authority data
Three, sentry-CDH mounting configuration
1. sentry mounted on CDH
2. integration with Hive
2.1 modify the configuration parameters
{1} hive canceled HiveServer2 user impersonation
Search hive configuration item "HiveServer2 enable impersonation", uncheck
simulate mean CDH beeline connection with the hive, with -n tells HiveServer user who, after cancellation, HiveServer for all client connections are considered to be the default user hive. The functions are in conflict with the sentry.
{2} yarn to allow the user to add hive
After canceling the user to simulate, hive mr all tasks are running at hive user, yarn have a hive user butt
{3} to start the database storage notification hive
每次修改元数据(CRUD表)都会写入到日志,这个日志sentry需要
{4} hive启用sentry
3.同Impala整合,直接启用
4.hdfs中
- sentry权限和hdfs中权限同步
4.1 在HDFS配置项中搜索“启用访问控制列表”、启用 Sentry 同步,勾选。
- 默认hdfs1个文件只有1个组,这个配置能加强hdfs的权限模型,1个文件可以有多个组
4.2 同步路径前缀
地址就写hive的warehouse
5.hue
5.1 配置HUE支持Sentry
在HUE配置项中搜索“Sentry”,勾选Sentry。
配置sentry的管理员组,管理员组中的用户都可以对其他用户授权。在hue中通过sentry给其他用户授权时,使用的用户要有sentry的管理员角色,所以要在sentry中给hue用户授权
在Sentry的配置项中搜索“管理员组”,其中包括hive、impala、hue,只有当某用户所属组位于其中时,才可为其他用户授予权限。注意,这里面的是组,不是用户
重启
四、使用
须知
- 使用了sentry之后,原来组件中的权限将不可用,全被sentry接管,比如hive组件的hive用户,原来有全部权限,使用sentry后,要给hive用户授权,否则默认无权限。
- 大数据组件有很多,包括linux系统本身,每个组件都有自己的用户,kerberos和sentry只认名字,只要名字相同,就认为是同一个人,
- 使用Sentry进行授权管理,需要使用Sentry的管理员用户对其他用户进行授权,授权的方式有两种。
1.通过HUE进行可视化操作
使用hue时,hue下创建的用户登录hue后自动完成kerberos认证,因为CDH会自动完成组件间的认证。如果是命令行,创建用户后要手动认证
1.1 进入hue的sentry管理界面。使用在sentry中管理员组中的用户登录hue,否则无法创建用户
1.2 此时hue用户没有访问hive的权限,刚好可以演示下
须知:
3列:
选表时,第3列可以选,选hdfs时,第3列禁用
创建role的时候可以顺便授予给group,group显示optional
{1} 只能看见默认的default库,里面的表也看不到。
{2} 点击roles,发现无法编辑,点击右边的问号进入官方文档,发现原来想要在hue编辑权限,当前登录的用户必须属于hue服务中的一个组,同时还要属于sentry中的1个管理组,此时hue仅仅属于defalut组,在hue中创建1个hue组,然后赋给hue用户,就出现了roles的编辑界面
{3} 创建hive_role,这个role包含hive的所有权限,将hive_role赋给hue的组hue。
给hue组赋予hive的权限,否则无法操作将hive的权限给别的角色
此时发现选权限时只有default库且里面没表,这是因为当前用户hue的组hue没有hive的任何权限,此时可以创建1个角色hive_role,给这个hive_role赋予hive的所有权限,然后把hive_role赋给hue组,这样hue就可以访问hive了,然后就可以用hue用户创建hive相关的角色了。权限不选就是所有权限
此时左边的hive栏刷新后就可以看到原来看不到的库和表了,这说明hue用户已经有了访问hive的权限。创建时可以不会有新的库和表的提示,手动输入即可。
2.使用Hive中的授权语句进行操作,类似mysql中的grant
先在linux中创建用户,默认会有同名用户组。hive中可以直接给linux的group授role。而hue需要在hue中创建用户和组???
使用sentry管理员用户登录hive,比如hive、hue。然后创建role,给role授权,
- 在node105创建两个用户reader_cmd,writer_cmd
[root@node105 ~]# useradd reader_cmd
[root@node105 ~]# passwd reader_cmd
[root@node105 ~]# useradd writer_cmd
[root@node105 ~]# passwd writer_cmd
为reader_cmd、writer_cmd创建Kerberos主体
[root@node105 ~]# kadmin.local -q "addprinc reader_cmd/[email protected]"
[root@node105 ~]# kadmin.local -q "addprinc writer_cmd/[email protected]"
- 使用Sentry管理员用户hive通过beeline客户端连接HiveServer2
[root@node105 ~]# kinit -kt /var/lib/hive/hive.keytab hive/hive@HADOOP.COM
[root@node105 ~]# beeline -u "jdbc:hive2://node105:10000/;principal=hive/[email protected]"
- 创建Role(reader_role_cmd,writer_role_cmd)为role赋予privilege
create role reader_role_cmd;
create role writer_role_cmd;
GRANT select ON DATABASE gmall TO ROLE reader_role_cmd;
GRANT insert ON DATABASE gmall TO ROLE writer_role_cmd;
- 将role授予用户组,
此处在hive中直接把hive的role授给linux的用户组还是principal的实例???,建立role和group的映射
GRANT ROLE reader_role_cmd TO GROUP reader_cmd;
GRANT ROLE writer_role_cmd TO GROUP writer_cmd;
- 查看权限授予情况
- 查看所有role(管理员)
SHOW ROLES; - 查看指定用户组的role(管理员)
SHOW ROLE GRANT GROUP reader_cmd; - 查看当前认证用户的role
SHOW CURRENT ROLES; - Check specify ROLE specific permissions (administrator)
SHOW GRANT ROLE reader_role_cmd;
- 查看所有role(管理员)
- The Rights Test
- Login using reader_cmd HiveServer2, any query a table in the library gmall
[root@node105 ~]# kinit reader_cmd/reader_cmd@HADOOP.COM [root@node105 ~]# beeline -u "jdbc:hive2://node105:10000/;principal=hive/[email protected]" - Login using writer_cmd HiveServer2, any query a table in the library gmall
[root@node105 ~]# kinit writer_cmd/writer_cmd@HADOOP.COM [root@node105 ~]# beeline -u "jdbc:hive2://node105:10000/;principal=hive/[email protected]" - Query results
reader_cmd have authority to query for gmall table, and writer_cmd no. States that authorization to take effect.
- Login using reader_cmd HiveServer2, any query a table in the library gmall
Five test
