1.开启testing.mode(否则需要先配好Kerberos )
cm中hive的配置->sentry-site.xml添加 :
<property>
<name>sentry.hive.testing.mode</name>
<value>true</value>
</property>
2.使用local groups
hive配置->搜索hive.sentry.provide->"Sentry 用户至组映射类"设为org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider
3.配置策略文件路径
hive配置->hive.sentry.provider.resource
4.在数据库策略文件中允许 URI
hive配置->sentry.allow.uri.db.policyfile->check
5.确保数据仓库权限正确
$ sudo -u hdfs hadoop fs -chmod -R 771 /user/hive/warehouse
$ sudo -u hdfs hadoop fs -chown -R hive:hive /user/hive/warehouse
6.关闭HiveServer2 启用模拟
hive配置->hive.server2.enable.impersonation->uncheck
7.创建 sentry-provider.ini,put到步骤3中的路径中
格式实例:
[databases]
[groups]
admin = all_operation
ope = select_filtered
g12000128 = select_g12000128
access_log = select_access_log
[roles]
all_operation = server=dmp-hive->action=ALL,server=dmp-hive->uri=hdfs://user/m4/lib/
select_filtered = server=dmp-hive->action=SELECT
select_g12000128 = server=dmp-hive->db=g12000128->action=SELECT
select_access_log = server=dmp-hive->db=access_log->action=SELECT
#select_us = server=dmp-hive->db=filtered->table=events_usonly->action=SELECT
[users]
root = ope
admin = ope
fdc964ffa8f13cf35792989279451c46 = admin
456b7016a916a4b178dd72b947c152b7 = admin
infra = admin
8.yarn配置中确保allowed.system.users中有hive用户
9.hive配置中->hive.sentry.enabled->check
10.RESTART CLUSTER