1、安装配置sentry

详细步骤见上一篇安装配置sentry

2、配置hive

2.1 Hive-server2集成Sentry

在 /etc/hive/conf/hive-site.xml中添加:

<property>

   <name>hive.security.authorization.task.factory</name>

   <value>org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl</value>

</property>

<property>

   <name>hive.server2.session.hook</name>

   <value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value>

</property>

<property>

   <name>hive.sentry.conf.url</name>

   <value>file:///etc/hive/conf/sentry-site.xml</value>

</property>

在/etc/hive/conf目录下创建sentry.xml文件,并添加:

<property>

    <name>hive.sentry.server</name>

    <value>Sentry_HOSTNAME</value>

</property>

<property>

    <name>sentry.service.security.mode</name>

    <value>none</value>

</property>

<property>

    <name>sentry.hive.provider.backend</name>

    <value>org.apache.sentry.provider.db.SimpleDBProviderBackend</value>

</property>

<property>

    <name>sentry.service.client.server.rpc-address</name>

    <value>Sentry_HOSTNAME</value>

</property>

<property>

    <name>sentry.service.client.server.rpc-port</name>

    <value>8038</value>

</property>

<property>

    <name>sentry.service.client.server.rpc-connection-timeout</name>

    <value>200000</value>

</property>

<property>

    <name>hive.sentry.provider</name>

    <value>org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider</value>

</property>

<property>

    <name>hive.sentry.failure.hooks</name>

    <value>com.cloudera.navigator.audit.hive.HiveSentryOnFailureHook</value>

</property>

<property>

    <name>sentry.hive.testing.mode</name>

     <value>true</value>

</property>

2.2 Hive Metastore集成Sentry

在 /etc/hive/conf/hive-site.xml中添加:

<property>

<name>hive.metastore.filter.hook</name>

<value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value>

</property>

<property>

    <name>hive.metastore.pre.event.listeners</name>

    <value>org.apache.sentry.binding.metastore.MetastoreAuthzBinding</value>

    <description>list of comma separated listeners for metastore events.</description>

</property>

<property>

    <name>hive.metastore.event.listeners</name>

    <value>org.apache.sentry.binding.metastore.SentryMetastorePostEventListener</value>

    <description>list of comma separated listeners for metastore, post events.</description>

</property>

2.3重启hive

先将sentry相关的jar包拷到hive的home目录下的lib目录下:

cp /usr/lib/sentry/lib/sentry-*.jar /usr/lib/hive/lib/

cp /usr/lib/sentry/lib/shiro-*.jar /usr/lib/hive/lib/

/etc/init.d/hive-server2 restart

3、测试

使用hive用户连接beeline:

beeline> !connect jdbc:hive2://10.205.58.36:10000

scan complete in 3ms

Connecting to jdbc:hive2://10.205.58.36:10000

Enter username for jdbc:hive2://10.205.58.36:10000: hive

Enter password for jdbc:hive2://10.205.58.36:10000:

查看数据库:

0: jdbc:hive2://10.205.58.36:10000> show databases;

+----------------+--+

| database_name  |

+----------------+--+

| app            |

| default        |

| hbase          |

| tmp            |

| web            |

+----------------+--+

现在以一个简单的需求来做一个权限分配示例:

hive属于admin role,对所有数据库有all权限;

etl属于etl role,对app,web库有select权限;

analyst属于analyst role,对hhbase库有select权限;

首先在系统中创建etl、analyst用户和组,hive已默认存在:

useradd etl

useradd analyst

hive连接beeline创建role并赋权:

 jdbc:hive2://10.205.58.36:10000> CREATE ROLE admin;

 jdbc:hive2://10.205.58.36:10000> GRANT ROLE admin TO GROUP hive;

 jdbc:hive2://10.205.58.36:10000> GRANT ALL ON server SentryHostname to role admin;

 jdbc:hive2://10.205.58.36:10000>

 jdbc:hive2://10.205.58.36:10000> CREATE ROLE etl;

 jdbc:hive2://10.205.58.36:10000> GRANT ROLE etl TO GROUP etl;

 jdbc:hive2://10.205.58.36:10000>GRANT SELECT ON DATABASE app TO ROLE etl;GRANT SELECT ON DATABASE web TO ROLE etl;

......

hive属于admin角色,具有管理员权限,可以查看所有角色:

0: jdbc:hive2://10.205.58.36:10000> show roles;

+----------+--+

|   role   |

+----------+--+

| etl      |

| analyst  |

| admin    |

+----------+--+

查看所有权限:

0: jdbc:hive2://10.205.58.36:10000> SHOW GRANT ROLE admin;

+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+

| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |

+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+

| *         |        |            |         | admin           | ROLE            | *          | false         | 1493962544757000  | --       |

+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+

以etl用户连接beeline:

beeline> !connect jdbc:hive2://10.205.58.36:10000

scan complete in 2ms

Connecting to jdbc:hive2://10.205.58.36:10000

Enter username for jdbc:hive2://10.205.58.36:10000: etl

Enter password for jdbc:hive2://10.205.58.36:10000:

etl用户只能看到default、app、web库:

0: jdbc:hive2://10.205.58.36:10000> show databases;

+----------------+--+

| database_name  |

+----------------+--+

| app            |

| default        |

| web            |

+----------------+--+

etl属于普通角色,不能看到所有角色,可以查看当前的角色。

0: jdbc:hive2://10.205.58.36:10000> show roles;

ERROR : Error processing Sentry command: Access denied to etl.Please grant admin privilege to etl.

ERROR : FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: Access denied to etl

INFO  : Completed executing command(queryId=hive_20170505180707_737ce3c6-aade-4785-98a7-b66dda4f982f); Time taken: 0.009 seconds

Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: Access denied to etl (state=08S01,code=1)

0: jdbc:hive2://10.205.58.36:10000> show current roles;

+-------+--+

| role  |

+-------+--+

| etl   |

+-------+--+

查看其所有的权限:

0: jdbc:hive2://10.205.58.36:10000> SHOW GRANT ROLE etl;

+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+

| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |

+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+

| app       |        |            |         | etl             | ROLE            | select     | false         | 1493965736909000  | --       |

| web       |        |            |         | etl             | ROLE            | select     | false         | 1493965737148000  | --       |

+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+

hive集成sentry的更多相关文章

  1. hive集成sentry的sql使用语法

    Sentry权限控制通过Beeline(Hiveserver2 SQL 命令行接口)输入Grant 和 Revoke语句来配置.语法跟现在的一些主流的关系数据库很相似.需要注意的是:当sentry服务 ...

  2. Hive集成HBase;安装pig

    Hive集成HBase 配置 将hive的lib/中的HBase.jar包用实际安装的Hbase的jar包替换掉 cd /opt/hive/lib/ ls hbase-0.94.2*  rm -rf ...

  3. Hive集成HBase详解

    摘要 Hive提供了与HBase的集成,使得能够在HBase表上使用HQL语句进行查询 插入操作以及进行Join和Union等复杂查询   应用场景 1. 将ETL操作的数据存入HBase 2. HB ...

  4. hbase与hive集成:hive读取hbase中数据

    1.创建hbase jar包到hive lib目录软连接 hive需要jar包: hive-hbase-handler-0.13.1-cdh5.3.6.jar zookeeper-3.4.5-cdh5 ...

  5. Hive集成Mysql作为元数据时,提示错误:Specified key was too long; max key length is 767 bytes

    在进行Hive集成Mysql作为元数据过程中.做全然部安装配置工作后.进入到hive模式,运行show databases.运行正常,接着运行show tables:时却报错. 关键错误信息例如以下: ...

  6. 大数据技术之_11_HBase学习_02_HBase API 操作 + HBase 与 Hive 集成 + HBase 优化

    第6章 HBase API 操作6.1 环境准备6.2 HBase API6.2.1 判断表是否存在6.2.2 抽取获取 Configuration.Connection.Admin 对象的方法以及关 ...

  7. Hbase与hive集成与对比

    HBase与Hive的对比 1.Hive (1) 数据仓库 Hive的本质其实就相当于将HDFS中已经存储的文件在Mysql中做了一个双射关系,以方便使用HQL去管理查询. (2) 用于数据分析.清洗 ...

  8. 【flask】项目集成Sentry收集线上错误日志

    flask集成sentry分为4个步骤: 首先在sentry官网注册1个账号 然后创建1个新的项目,这里我选择的是flask,这会得到一些关于sdk的使用说明 接下来创建一个简单的flask项目使用s ...

  9. 如何使用Hive集成Solr?

    (一)Hive+Solr简介 Hive作为Hadoop生态系统里面离线的数据仓库,可以非常方便的使用SQL的方式来离线分析海量的历史数据,并根据分析的结果,来干一些其他的事情,如报表统计查询等. So ...

随机推荐

  1. Redhat

    vm1 port:192.168.210.102 user:root;pwd:123456 user:openflowpwd:openflowKkm09!q esx4.1 server 安装一.修改I ...

  2. macaca环境搭建(web 和 android)

    一.安装配置JDK 1.1下载JDK地址http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.h ...

  3. java 文件操作(二)---Files和Path

    自从java 7以来,引入了FIles类和Path接口.他们两封装了用户对文件的所有可能的操作,相比于java 1的File类来说,使用起来方便很多.但是其实一些本质的操作还是很类似的.主要需要知道的 ...

  4. html行内元素,块元素,空元素

    行内元素:img    span    input  a  b  br  lable   ; 块元素:dl  dt  dd  div  form  table  li  ol  ul  li  h1- ...

  5. 当Node.js遇见Docker

    Node.js Best Practices - How to Become a Better Developer in 2017提到的几点,我们Fundebug深有同感: 使用ES6 使用Promi ...

  6. 一张图解析nvm,npm,nodejs之间的关系

  7. [SinGuLaRiTy] 最短路计算代码库

    [SinGuLaRiTy-1002] Copyright (c) SinGuLaRiTy 2017. All Rights Reserved. Dijkstra: 题目描述 有向图的单源点最短路问题( ...

  8. vagrant up 失败解决办法

    前几天在自己电脑搭建vagrant环境报错:"There was an error while executing `VBoxManage`, a CLI used by Vagrant f ...

  9. ACdream 1112 Alice and Bob (sg函数的变形+素数筛)

    题意:有N个数,Alice 和 Bob 轮流对这些数进行操作,若一个数 n=a*b且a>1,b>1,可以将该数变成 a 和 b 两个数: 或者可以减少为a或b,Alice先,问谁能赢 思路 ...

  10. sublimeText3插件安装

    1,官方下载sublimeText 3(百度搜索) 2,安装成功后按Ctrl+`调出console 3,然后输入 import urllib.request,os; pf = 'Package Con ...