1 角色管理命令
1.1 创建角色
创建一个新角色,需要 admin 用户执行
CREATE ROLE role_name;
--示例:创建名为bigdata_admin_role的角色
CREATE ROLE bigdata_admin_role;
<!--如果没有执行hive权限配置需要修改hive-site.xml文件,然后重新启动-->
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
</property>
<property>
<name>hive.security.authorization.task.factory</name>
<value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
</property>
1.2 删除角色
删除一个角色,需要 admin 用户执行
DROP ROLE role_name;
--示例:删除名为bigdata_admin_role的角色
DROP ROLE bigdata_admin_role
1.3 显示当前角色
显示用户当前角色列表
SHOW CURRENT ROLES;
1.4 设定角色
如果指定了role_name,则该角色将成为当前角色中的唯一角色
将Role_Name设置为All将刷新当前角色的列表(在新角色被授予用户的情况下),并将其设置为默认的角色列表。
将Role_Name设置为None将从当前用户中删除所有当前角色。
SET ROLE (role_name|ALL|NONE);
1.5 显示角色
列出所有当前存在的角色。
只有admin角色对此有特权。
SHOW ROLES;
2 权限管理
2.1 将角色赋权给其他角色/用户/用户组
即,其他角色/用户/用户组将拥有该角色所拥有的权限
赋权/撤销语法
将一个或多个角色授予其他角色或用户。
如果指定了“WITH ADMIN OPTION”,则用户将获得将该角色授予其他用户/角色的权限。
如果授予语句最终在角色之间创建循环关系,则该命令将失败并出现错误。
GRANT ROLE role_name [, role_name] ...
TO principal_specification [, principal_specification] ...
[ WITH ADMIN OPTION ];
principal_specification:
USER user
| GROUP group
| ROLE role
--示例:将bigdata_admin_role角色的权限给到用户bigdata_admin
GRANT ROLE bigdata_admin_role TO USER bigdata_admin;
--示例:将bigdata_admin_role角色的权限给到用户组bigdata_admin_g
GRANT ROLE bigdata_admin_role TO bigdata_admin_g;
从FROM子句中的用户/角色中撤消角色的成员权限。
REVOKE [ADMIN OPTION FOR] role_name [, role_name] ...
FROM principal_specification [, principal_specification] ... ;
principal_specification
USER user
| GROUP group
| ROLE role
--示例:将bigdata_admin_role角色的权限从用户bigdata_admin中移除
GRANT ROLE bigdata_admin_role FROM USER bigdata_admin;
--示例:将bigdata_admin_role角色的权限给从用户组bigdata_admin_g中移除
GRANT ROLE bigdata_admin_role FROM bigdata_admin_g;
2.2 将数据库/表赋权给角色
对数据库/表或视图赋权,包括 ALL/ALTER/UPDATE/CREATE/DROP/INDEX/LOCK/SELECT/SHOW_DATABASE 权限,也可以通过指定某张表的那些列有哪些权限。
GRANT
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_specification]
TO principal_specification [, principal_specification] ...
[WITH GRANT OPTION]
REVOKE [GRANT OPTION FOR]
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
[ON object_specification]
FROM principal_specification [, principal_specification] ...
REVOKE all on bigdata_db.test from
REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user [, user] ...
priv_type:
ALL | ALTER | UPDATE | CREATE | DROP
| INDEX | LOCK | SELECT | SHOW_DATABASE
object_specification:
TABLE tbl_name
| DATABASE db_name
principal_specification:
USER user
| GROUP group
| ROLE role
--示例:将数据库bigdata_db的所有权限赋给bigdata_admin_role角色
GRANT ALL ON DATABASE bigdata_db TO ROLE bigdata_admin_role;
--示例:将表bigdata_db.test的select权限赋给bigdata_read_role角色
GRANT SELECT ON TABLE bigdata_db.test TO ROLE bigdata_read_role;
--示例:将表bigdata_db.test的select权限赋从bigdata_read_role角色移除
GRANT SELECT ON TABLE bigdata_db.test FROM ROLE role_read_cl;
如果授予用户对表或视图的WITH GRANT OPTION特权,则该用户还可以赋权/撤消其他用户的特权以及这些对象上的角色。
2.3 显示权限
SHOW GRANT [principal_specification] ON (ALL | [TABLE] table_or_view_name);
principal_specification
: USER user
| ROLE role
2.4 管理对象权限的示例
示例:创建用户bigdata_admin并指定用户组bigdata_admin_g,创建hive角色bigdata_admin_role,创建数据库bigdata_db,指定bigdata_admin_role角色拥有bigdata_db所有权限,并将bigdata_admin_role的权限给到bigdata_admin_g用户组:
#shell脚本内容:
#1.创建一个‘用户组’,bigdata_admin_g,语法:groupadd [用户组名]
groupadd bigdata_admin_g
#2.创建一个‘用户’,bigdata_admin指定用户组为bigdata_admin_g,语法:useradd -m -g [用户组名] [用户名]
useradd -m -g bigdata_admin_g bigdata_admin
#3.检查用户组和用户创建情况,语法:id [用户名]
id bigdata_admin
#返回以下内容表示创建成功
uid=1003(bigdata_admin) gid=1003(bigdata_admin_g) groups=1003(bigdata_admin_g)
#4.创建Hadoop用户路径,设置路径权限及空间大小
hadoop fs -mkdir /user/bigdata_admin
hadoop fs -chown bigdata_admin/bigdata_admin_g /user/bigdata_admin
hadoop fs -chmod 711 /user/bigdata_admin
hadoop fs -setfacl -R -m group:bigdata_admin_g:rwx /user/bigdata_admin
hadoop fs -setfacl -R -m default:group:bigdata_admin_g:rwx /user/bigdata_admin
hadoop fs -setfacl -R -m default:user::rwx /user/bigdata_admin
hadoop fs -setfacl -R -m default::--- /user/bigdata_admin
hadoop fs -setfacl -R -m default::--- /user/bigdata_admin
hdfs dfsadmin -setSpaceQuota 10g /user/bigdata_admin
--SQL脚本内容:
--1.创建数据库 bigdata_db,以下为SQL语法
CREATE DATABASE bigdata_db;
--2.创建名为bigdata_admin_role的角色
CREATE ROLE bigdata_admin_role;
--3.将数据库bigdata_db的所有权限赋给bigdata_admin_role角色
GRANT ALL ON DATABASE bigdata_db TO ROLE bigdata_admin_role;
--4.将bigdata_admin_role角色的权限给到bigdata_g,即,bigdata_g组内的用户拥有操作数据库bigdata_db的所有权限
GRANT ROLE bigdata_admin_role TO GROUP bigdata_g;
--5.将集群路径所有权限赋权给bigdata_admin_role角色
GRANT ALL ON URI 'hdfs://nameservice/user/bigdata' TO bigdata_admin_role;
示例:创建用户bigdata_read并指定用户组bigdata_read_g,创建hive角色bigdata_read_role,指定bigdata_read_role角色拥有bigdata_db的select权限,并将bigdata_read_role的权限给到bigdata_admin_g用户组:
--SQL脚本内容:
--1.创建名为bigdata_read_role的角色
CREATE ROLE bigdata_read_role;
--2.将数据库bigdata_db的所有权限赋给bigdata_read_role角色
GRANT SELECT ON DATABASE bigdata_db TO ROLE bigdata_read_role;
--3.将bigdata_read_role角色的权限给到bigdata_g,即,bigdata_g组内的用户拥有操作数据库bigdata_db的所有权限
GRANT ROLE bigdata_read_role TO GROUP bigdata_g;
2.5 显示角色授予
principal_name是用户或角色的名称。
列出已授予给定用户或角色的所有角色。
SHOW ROLE GRANT (USER|ROLE|GROUP ) principal_name;
示例:
0: jdbc:hive2://localhost:10000> SHOW ROLE GRANT USER user1;
+---------+---------------+----------------+----------+
| role | grant_option | grant_time | grantor |
+---------+---------------+----------------+----------+
| public | false | 0 | |
| role1 | false | 1398284083000 | uadmin |
+---------+---------------+----------------+----------+
2.6 列出所有角色和属于该角色的用户
仅admin角色对此具有特权。
SHOW PRINCIPALS role_name;
示例:
0: jdbc:hive2://localhost:10000> SHOW PRINCIPALS role1;
+-----------------+-----------------+---------------+----------+---------------+----------------+
| principal_name | principal_type | grant_option | grantor | grantor_type | grant_time |
+-----------------+-----------------+---------------+----------+---------------+----------------+
| role2 | ROLE | false | uadmin | USER | 1398285926000 |
| role3 | ROLE | true | uadmin | USER | 1398285946000 |
| user1 | USER | false | uadmin | USER | 1398285977000 |
+-----------------+-----------------+---------------+----------+---------------+----------------+
找出用户ashutosh对表hivejiratable拥有的特权:
0: jdbc:hive2://localhost:10000> show grant user ashutosh on table hivejiratable;
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas |
| default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
找出用户ashutosh对所有对象具有的特权:
0: jdbc:hive2://localhost:10000> show grant user ashutosh on all;
+-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| default | hivecontributors | | | ashutosh | USER | DELETE | false | 1398303576000 | thejas |
| default | hivecontributors | | | ashutosh | USER | INSERT | false | 1398303576000 | thejas |
| default | hivecontributors | | | ashutosh | USER | SELECT | false | 1398303576000 | thejas |
| default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas |
| default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas |
+-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
找出所有用户对表hivejiratable拥有的特权:
0: jdbc:hive2://localhost:10000> show grant on table hivejiratable;
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas |
| default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas |
| default | hivejiratable | | | navis | USER | INSERT | false | 1398303650000 | thejas |
| default | hivejiratable | | | navis | USER | SELECT | false | 1398303650000 | thejas |
| default | hivejiratable | | | public | ROLE | SELECT | false | 1398303481000 | thejas |
| default | hivejiratable | | | thejas | USER | DELETE | true | 1398303380000 | thejas |
| default | hivejiratable | | | thejas | USER | INSERT | true | 1398303380000 | thejas |
| default | hivejiratable | | | thejas | USER | SELECT | true | 1398303380000 | thejas |
| default | hivejiratable | | | thejas | USER | UPDATE | true | 1398303380000 | thejas |
+-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+