http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH5/latest/CDH5-Security-Guide/cdh5sg_sentry.html
条件:
Kerberos安全认证(使用cm配置安全认证后,hive自动也添加了认证,所以hive认证配置http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH5/latest/CDH5-Security-Guide/cdh5sg_hive_security.html可以省略)
[color=red]该条件是cloudera官方文档中说明的,据了解,可以不配置kerberos安全认证,同样可以使用sentry,但试过,求试过的同学个回复[/color]
步骤:
sudo -u hdfs hdfs dfs -chmod -R 770 /user/hive/warehouse
sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
cm的hive配置中找到 hive.sentry.provider设置成org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider
(如此hive将识别policy file的user group配置)
sentry-provider.ini配置。例如:
[databases]
# Defines the location of the per DB policy file for the customers DB/schema
customers = hdfs://namenode11.yeahmobi.com:8020/etc/sentry/customers.ini
-------------某个数据库权限配置
[groups]
# Assigns each Hadoop group to its set of roles
manager = analyst_role, junior_analyst_role
analyst = analyst_role
jranalyst = junior_analyst_role
customers_admin = customers_admin_role
admin = admin_role
[roles]
# The uris below define a define a landing skid which
# the user can use to import or export data from the system.
# Since the server runs as the user "hive" files in that directory
# must either have the group hive and read/write set or
# be world read/write.
analyst_role = server=server1->db=analyst1, \
server=server1->db=jranalyst1->table=*->action=select,\
server=server1->db=default->table=*->action=select,\
server=server1->db=test->table=*->action=select
junior_analyst_role = server=server1->db=jranalyst1
# Implies everything on server1 -> customers. Privileges for
# customers can be defined in the global policy file even though
# customers has its only policy file. Note that the Privileges from
# both the global policy file and the per-DB policy file
# are merged. There is no overriding.
customers_admin_role = server=server1->db=customers
# Implies everything on server1.
admin_role = server=server1
[users]
-----------------------------user group在此生效
hive = manager,customers_admin
hue = analyst
rube = analyst
qiulp= analyst
上传此文件至hdfs的某个目录项,此目录授权给hive用户hive组。
hive启用sentry
cm中找到hive hive.server2.session.hook配置为:org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook
配置hive.sentry.conf.url
使用hive jdbc时,出现如下异常:
Exception in thread "main" java.sql.SQLException: Error while compiling statement: FAILED: SemanticException No valid privileges
at org.apache.hive.jdbc.Utils.verifySuccess(Utils.java:167)
at org.apache.hive.jdbc.Utils.verifySuccessWithInfo(Utils.java:155)
at org.apache.hive.jdbc.HiveStatement.execute(HiveStatement.java:210)
是权限赋值的有问题。
条件:
Kerberos安全认证(使用cm配置安全认证后,hive自动也添加了认证,所以hive认证配置http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH5/latest/CDH5-Security-Guide/cdh5sg_hive_security.html可以省略)
[color=red]该条件是cloudera官方文档中说明的,据了解,可以不配置kerberos安全认证,同样可以使用sentry,但试过,求试过的同学个回复[/color]
步骤:
sudo -u hdfs hdfs dfs -chmod -R 770 /user/hive/warehouse
sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
cm的hive配置中找到 hive.sentry.provider设置成org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider
(如此hive将识别policy file的user group配置)
sentry-provider.ini配置。例如:
[databases]
# Defines the location of the per DB policy file for the customers DB/schema
customers = hdfs://namenode11.yeahmobi.com:8020/etc/sentry/customers.ini
-------------某个数据库权限配置
[groups]
# Assigns each Hadoop group to its set of roles
manager = analyst_role, junior_analyst_role
analyst = analyst_role
jranalyst = junior_analyst_role
customers_admin = customers_admin_role
admin = admin_role
[roles]
# The uris below define a define a landing skid which
# the user can use to import or export data from the system.
# Since the server runs as the user "hive" files in that directory
# must either have the group hive and read/write set or
# be world read/write.
analyst_role = server=server1->db=analyst1, \
server=server1->db=jranalyst1->table=*->action=select,\
server=server1->db=default->table=*->action=select,\
server=server1->db=test->table=*->action=select
junior_analyst_role = server=server1->db=jranalyst1
# Implies everything on server1 -> customers. Privileges for
# customers can be defined in the global policy file even though
# customers has its only policy file. Note that the Privileges from
# both the global policy file and the per-DB policy file
# are merged. There is no overriding.
customers_admin_role = server=server1->db=customers
# Implies everything on server1.
admin_role = server=server1
[users]
-----------------------------user group在此生效
hive = manager,customers_admin
hue = analyst
rube = analyst
qiulp= analyst
上传此文件至hdfs的某个目录项,此目录授权给hive用户hive组。
hive启用sentry
cm中找到hive hive.server2.session.hook配置为:org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook
配置hive.sentry.conf.url
使用hive jdbc时,出现如下异常:
Exception in thread "main" java.sql.SQLException: Error while compiling statement: FAILED: SemanticException No valid privileges
at org.apache.hive.jdbc.Utils.verifySuccess(Utils.java:167)
at org.apache.hive.jdbc.Utils.verifySuccessWithInfo(Utils.java:155)
at org.apache.hive.jdbc.HiveStatement.execute(HiveStatement.java:210)
是权限赋值的有问题。
3421
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
