hive有两种类型的权限控制方式:
一、Storage Based Authorization in the Metastore Server
通过Hcatcalog API访问hive数据的方式,实际是通过访问metastore元数据的形式访问hive数据,这类有MapReduce,Impala,Pig,Spark SQL,Hive Command line等方式
其实是通过hdfs(Hadoop File System)文件系统控制-d-r-w等权限来实现,这里需要借助hdfs setfacl命令
1)在hive-site.xml配置文件里配置如下选项
<property>
<name>hive.security.metastore.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider</value>
<description>authorization manager class name to be used in the metastore for authorization.
The user defined authorization class should implement interface
org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider.
</description>
</property>
<property>
<name>hive.security.metastore.authenticator.manager</name>
<value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
<description>authenticator manager class name to be used in the metastore for authentication.
The user defined authenticator should implement interface
org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider.
</description>
</property>
<property>
<name>hive.metastore.pre.event.listeners</name>
<value> </value>
<description>pre-event listener classes to be loaded on the metastore side to run code
whenever databases, tables, and partitions are created, altered, or dropped.
Set to org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
if metastore-side authorization is desired.
</description>
</property>2)使用setfacl为用户在hive数仓路径分配权限
2.1) 创建一个新用户 test
hdfs dfs -mkdir /user/test
2.2)分配权限用户组 用户组:用户
hdfs dfs -chown test:test /user/test2.3)查看详情
hdfs dfs -ls /user/test
drwxr-xr-x - test test 0 2020-07-14 15:06 /user/test2.4)授予test对warehouse文件夹rwx权限
hadoop fs -setfacl -m user:test:rwx /user/hive/warehouse2.5)授予hivegrp对warehouse文件夹rwx权限
hadoo fs -setfacl -m group:hivegrp:rwx /user/hive/warehouse二、SQL Standards Based Authorization in HiveServer2
通过hiveserver2的方式访问hive数据,默认提供两种角色:public和admin,所有用户默认属于角色public,而授权则必须是具有角色admin的用户才可以完成(普通用户仅可以将自己获得的权限授权给其它用户),因此我们必须添加至少一个用户拥有角色admin
1)通过在hive-site.xml中配置获得admin权限,hive配置项
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
</property>
<property>
<name>hive.security.authorization.task.factory</name>
<value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
</property>
<property>
<name>hive.users.in.admin.role</name>
<value>hdfs</value>
</property>含义分别是开启权限验证;表的创建者对表拥有所有权限
hive.security.authorization.createtable.owner.grants默认值为NULL,所以表的创建者无法访问该表,这明显是不合理的。
Hive授权的核心就是用户、组、角色。
Hive中的角色和平常我们认知的角色是有区别的。Hive中的角色可以理解为一部分有一些相同“属性”的用户或组或角色的集合。这里有个递归的概念,就是一个角色可以是一些角色的集合。
| 用户 | 组 | 角色 |
| 张三 | group1 | admin |
| 李四 | group2 | test |
2)创建/删除角色命令用户和组使用的是Linux机器上的用户和组,而角色必须自己(hive)创建。
#获取管理员权限
set role admin;
#查看当前创建的所有role
show roles;
#新建角色 tests
create role tests;
#删除角色 tests
drop role tests;3)授权/移除权限命令
grant/revoke:
GRANT ROLE role_name [, role_name] ... TO principal_specification [, principal_specification] ...
REVOKE ROLE role_name [, role_name] ... FROM principal_specification [, principal_specification] ...
principal_specification :
USER user | GROUP group | ROLE role
eg:
grant role outs to user out_user;
show role grant user yinxiu;
result:
hive> show role grant user out_user;
OK
admin false 1594783028000 hadoop
outs false 1594712987000 hadoop
public false 0
Time taken: 0.145 seconds, Fetched: 3 row(s)HIVE支持以下权限:
| 权限名称 | 含义 |
| ALL | 所有权限 |
| ALTER | 允许修改元数据(modify metadata data of object)---表信息数据 |
| UPDATE | 允许修改物理数据(modify physical data of object)---实际数据 |
| CREATE | 允许进行Create操作 |
| DROP | 允许进行DROP操作 |
| INDEX | 允许建索引(目前还没有实现) |
| LOCK | 当出现并发的使用允许用户进行LOCK和UNLOCK操作 |
| SELECT | 允许用户进行SELECT操作 |
| SHOW_DATABASE | 允许用户查看可用的数据库 |
常用的:ALL、CREATE、SELECT(目前只使这三种)
GRANT\REVOKE:
GRANT priv_type [(column_list)] [, priv_type [(column_list)]] ... [ON object_type] TO principal_specification [, principal_specification] ... [WITH GRANT OPTION]
REVOKE priv_type [(column_list)] [, priv_type [(column_list)]] ... [ON object_type priv_level] FROM principal_specification [, principal_specification] ...
REVOKE ALL PRIVILEGES, GRANT OPTION FROM user [, user] ...
object_type: TABLE | DATABASE
priv_level: db_name | tbl_name
eg:
grant select on database default to user out_user;
revoke all on database default from user out_user;4)查看授权用户
查看权限:
SHOW GRANT principal_specification [ON object_type priv_level [(column_list)]]
HIVE操作和权限之间的关系
As of the release of Hive 0.7, only these operations require permissions, according to org.apache.hadoop.hive.ql.plan.HiveOperation:
| Operation | ALTER | UPDATE | CREATE | DROP | INDEX | LOCK | SELECT | SHOW_DATABASE |
| LOAD | √ | |||||||
| EXPORT | √ | |||||||
| IMPORT | √ | √ | ||||||
| CREATE TABLE | √ | |||||||
| CREATE TABLE AS SELECT | √ | √ | ||||||
| DROP TABLE | √ | |||||||
| SELECT | √ | |||||||
| ALTER TABLE ADD COLUMN | √ | |||||||
| ALTER TABLE REPLACE COLUMN | √ | |||||||
| ALTER TABLE RENAME | √ | |||||||
| ALTER TABLE ADD PARTITION | √ | |||||||
| ALTER TABLE DROP PARTITION | √ | |||||||
| ALTER TABLE ARCHIVE | √ | |||||||
| ALTER TABLE UNARCHIVE | √ | |||||||
| ALTER TABLE SET PROPERTIES | √ | |||||||
| ALTER TABLE SET SERDE | √ | |||||||
| ALTER TABLE SET SERDEPROPERTIES | √ | |||||||
| ALTER TABLE CLUSTER BY | √ | |||||||
| ALTER TABLE PROTECT MODE | √ | |||||||
| ALTER PARTITION PROTECT MODE | √ | |||||||
| ALTER TABLE SET FILEFORMAT | √ | |||||||
| ALTER TABLE SET LOCATION | √ | |||||||
| ALTER PARTITION SET LOCATION | √ | |||||||
| ALTER TABLE CONCATENATE | √ | |||||||
| ALTER PARTITION CONCATENATE | √ | |||||||
| SHOW DATABASE | √ | |||||||
| LOCK TABLE | √ | |||||||
| UNLOCK TABLE | √ |
eg:
show grant user out_user on database default;
result:
1594696143000 hadoop
db_apps out_user USER SELECT false
Time taken: 0.031 seconds, Fetched: 1 row(s)5)主要命令如下,记住即可:
grant select on database 数据库 to 用户名;
eg: grant select on database db_source to user zhangsan;
check eg: show grant user zhangsan on database db_source;
grant select on table 表名 to 用户名;
eg: grant select on table db_source.xx_xx_log_d to user zhangsan; //没写db_source就是default
check eg: show grant user zhangsan on table db_source.xx_xx_log_d;
grant select on database 数据库 to role admin;
eg: grant select on database db_source to role admin;
check eg: show grant role admin on database db_source;
grant select on table 表名 to role admin;
eg: grant select on table db_source.xx_xx_log_d to role admin; //没写db_source就是default
check eg: show grant role admin on table db_source.xx_xx_log_d;拓展beeline 直接测试:
beeline -u 'jdbc:hive2://192.168.10.1:2181,192.168.10.2:2181,192.168.10.3:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2' -n zhangsan --outputformat=tsv2 --showHeader=falsebeeline -u 'jdbc:hive2://192.168.10.1:2181,192.168.10.2:2181,192.168.10.3:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2' -n hadoop --outputformat=tsv2 --showHeader=false
参考链接:
https://www.cnblogs.com/yejibigdata/p/6394719.html
https://blog.csdn.net/javajxz008/article/details/81084744
https://www.cnblogs.com/yurunmiao/p/4449439.html
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
