hive权限管理

《Hive编程指南》第18章 安全有相关内容可参考。

环境:

HDP2.4 ,hive-1.2.0, ambari统一管理

目前hive支持简单的权限管理,默认情况下是不开启,这样所有的用户都具有相同的权限,同时也是超级管理员,也就对hive中的所有表都有查看和改动的权利,这样是不符合一般数据仓库的安全原则的。下面来介绍HIVE的权限管理。

Hive用户

1. Hive作为表存储层。
    使用对象:Hive's HCatalog API如Apache Pig, MapReduce 和一些大量的并行数据库, 有直接操作HDFS和元数据server的权限
2. Hive作为SQL查询引擎。
    a. hive cli: 同样有HDFS和Hive metastore操作权限
    b. ODBC/JDBC和其他HiveServer2 API users (Beeline CLI is an example),通过HiveServer2操作。
Hive三种授权模型

1. Storage Based Authorization in the Metastore Server(SBA)

 通常用于Metastore Server API的授权;hive用户1和2a, Hive配置不控制权限,通过HDFS文件进行 权限控制;hive用户2b 使用需要hive.server2.enable.doAs =true

注意:Hive 0.12.0版本之后开始支持;使用HDFS ACL(Hadoop 2.4以后版本支持)灵活控制
虽然能够保护Metastore中的元数据不被恶意用户破坏,可控制数据库、表和分区但是没有提供细粒度的访问控制(列级别、行级别)

hive-site.xml配置:

    roperty>  
    <name>hive.metastore.pre.event.listeners</name>  
    <value> org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>  
    <description>turns on metastore-side security</description>  
    </property>  
      
    <property>  
    <name>hive.security.metastore.authorization.manager</name>  
    <value>  org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>  
    <description>This tells Hive which metastore-side authorization provider to use. The default setting uses DefaultHiveMetastoreAuthorizationProvider, which implements the standard Hive grant/revoke model. To use an HDFS permission-based model (recommended) to do your authorization, use StorageBasedAuthorizationProvider as instructed above.</description>  
    </property>  
      
    <property>  
    <name>hive.security.metastore.authenticator.manager</name>  
    <value> org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>  
      <description>authenticator manager class name to be used in the metastore for authentication.  
      The user defined authenticator should implement interface   
      org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider.  
      </description>  
    </property>  
      
    <property>  
    <name>hive.security.metastore.authorization.auth.reads</name>  
    <value> true</value>  
    <description>default=true,When this is set to true, Hive metastore authorization also checks for read access.</description>  
    </property>  

2. SQL Standards Based Authorization in HiveServer2(SSBA)

基于SQL标准的Hive授权为Hive授权提供了第三个选择,它完全兼容SQL的授权模型,不会给现在的用户带来向后兼容的问题,因此被推荐使用。一旦用户迁移到这种更加安全的授权机制后,默认的授权机制可以被遗弃掉。

基于SQL的授权模型可以和基于存储的授权模型(Hive Metastore Server)结合使用。

授权确认时是以提交SQL指令的用户身份为依据的,但SQL指令是以Hive Server用户身份(即Hive Server的进程用户)被执行的,因此Hive Server用户必须拥有相应目录(文件)的权限(根据SQL指令的不同,所需权限也不同)。

基于HiveServer2可提供行列级别的细粒度权限控制
在这种授权模型控制下,拥有权限使用Hive CLI、HDFS commands、Pig command line、'hadoop jar' 等工具(指令)的用户被称为特权用户。在一个组织(团队)内,仅仅一些需要执行ETL相关工作的团队需要这些特殊权限,这些工具的访问不经过HiveServer2,因此它们不受这种授权模型的控制。对于需要通过Hive CLI、Pig和MapReduce访问Hive表的用户,可以通过在Hive Metastore Server中启用Storage Based Authorization来进行相应的权限控制(否则hive cli无法进行权限控制)其它情况则可能需要结合Hadoop的安全机制进行。
限制:

(1)当授权enbled, 命令dfs, add, delete, compile和reset  disabled.

(2)transform clause被禁用。

(3)改变Hive配置的指令集合被限制为仅某些用户可以执行,可以通过hive.security.authorization.sqlstd.confwhitelist(hive-site.xml)进行配置。
(4)添加或删除函数、宏的权限被限制为仅具有admin角色的用户可以执行。
(5) 为了用户可以使用(自定义)函数,创建永久函数(create permanent functions)的功能被添加。拥有角色admin的用户可以执行该指令添加函数,所有添加的函数可以被所有的用户使用。

hive-site.xml配置:

    <property>  
    <name>hive.security.authorization.enabled</name>  
    <value>true</value>  
    </property>  
      
    <property>  
        <name>hive.server2.enable.doAs</name>  
        <value>false</value>  
    </property>  
      
    <property>  
        <name>hive.users.in.admin.role</name>  
        <value>hive</value>  
    </property>  
      
    <property>  
    <name>hive.security.authorization.manager</name>   
    <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>  
    </property>  
      
    <property>  
    <name>hive.security.authenticator.manager</name>   
    <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>  
    </property>  
      
    <!--  
    <property>  
    <name>hive.metastore.uris</name>  
    <value>''</value>  
    </property>  
      
    <property>  
    <name>hive.conf.restricted.list</name>   
    <value>hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager</value>   
    </property>  
    -->  

注意:

(1)拥有admin角色的用户需要运行命令“set role admin"去获取admin角色的权限;

配置完这个可以在元数据表中查询到

<property>  
    <name>hive.users.in.admin.role</name>  
    <value>hive</value>  
</property> 

查询: select * from Role_Map;

a. [Important] Before restarting HiveServer2, firstly grant admin role to the user in Beeline.  
  
grant admin to user mapr;  
This is to make sure the specified admin user has the admin role.  
If we ignore this step in Hive 0.13, then later we can not set the role to admin even if the user is specified in  hive.users.in.admin.role.  
For example:  
0: jdbc:hive2://xxx:10000/default> set hive.users.in.admin.role;  
+----------------------------------------------+  
|                     set                      |  
+----------------------------------------------+  
| hive.users.in.admin.role=mapr                |  
+----------------------------------------------+  
1 row selected (0.05 seconds)  
  
0: jdbc:hive2://xxx:10000/default> set role admin;      
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. mapr doesn't belong to role admin (state=08S01,code=1)  
b. Start HiveServer2 with the following additional command-line options.  
  
-hiveconf hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory  
-hiveconf hive.security.authorization.enabled=true  
-hiveconf hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator  
c.  Test admin role.  
  
0: jdbc:hive2://xxx:xxx/default> set role admin;                                             
No rows affected (0.824 seconds)  
0: jdbc:hive2://xxx:xxx/default> show current roles;  
+--------+  
|  role  |  
+--------+  
| admin  |  
|        |  
+--------+  
2 rows selected (0.391 seconds)
(2)HiveServer2可以配置了用嵌入的metastore( 这个没有测试)

hiveserver2-site.xml的配置:

    <property>  
    <name>hive.security.authorization.enabled</name>  
    <value>true</value>  
    </property>  
      
    <property>  
    <name>hive.security.authorization.manager</name>   
    <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>  
    </property>  
      
    <property>  
    <name>hive.security.authenticator.manager</name>   
    <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>  
    </property>  
      
    <property>  
    <name>hive.metastore.uris</name>   
    <value>thrift://localhost:9083</value>  
    </property>  
3. Hive Default Authorization
 缺陷:类似于关系型的授权模式,但用户的授权许可没有定义,任何用户都可以授权和撤回
 类似2,提供grant/revoke控制权限,Hive Cli支持

Hive授权定义在不同级别: Users Groups Roles, 其中之一的权限checks通过, hive操作即可执行

默认情况,metastore使用HadoopDefaultAuthenticator

hive-site.xml配置:

    <property>    
      <name>hive.security.authorization.enabled</name>     
      <value>true</value>    
      <description>Enable or disable the hive client authorization</description>    
    </property>   
      
    <property>    
      <name>hive.security.authorization.createtable.owner.grants</name>    
      <value>ALL</value>    
      <description>The privileges automatically granted to the owner whenever    
      a table gets created.An example like "select,drop" will grant select    
      and drop privilege to the owner of the table</description>    
    </property>   
      
    <!--可选,未测-->  
    <property>    
      <name>hive.security.authorization.createtable.user.grants</name>    
      <value>ALL</value>    
    </property>   
      
    <!--可选,未测-->  
    <property>    
      <name>hive.security.authorization.createtable.group.grants</name>    
      <value>ALL</value>    
    </property>   
      
    <!--可选,未测-->  
    <property>    
      <name>hive.security.authorization.createtable.role.grants</name>    
      <value>ALL</value>    
    </property>  
      
    <property>  
    <name>hive.security.authorization.manager</name>   
    <value>org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider</value>  
    <description>The hive client authorization manager class name.</description>    
    </property>  
      
    <property>  
    <name>hive.security.authenticator.manager</name>   
    <value>org.apache.hadoop.hive.ql.security.HadoopDefaultAuthenticator</value>   
    </property>  

我的配置:


Ambari配置按上面配置会有一个报错:hive.security.authorization.enabled= true后hive_security_authorization should not be None if hive.security.authorization.enabled is set。

如何配置:https://issues.apache.org/jira/browse/AMBARI-11575

Privileges, Users 和Roles

(1) Privileges可以被授权给Users和Roles;

(2) Users可以有一个或多个角色

默认角色都是public, 所有的用户都有public角色。只有Admin角色可以create/drop/set/show roles.

元数据表:

Db_privs:记录了User/Role在DB上的权限
Tbl_privs:记录了User/Role在table上的权限
Tbl_col_privs:记录了User/Role在table column上的权限
Roles:记录了所有创建的role
Role_map:记录了User与Role的对应关系

hive> set role admin;  
hive> show roles;  
OK  
admin  
public  
role_test1  
hive> create role role_test2;OK  
Time taken: 0.644 seconds  
hive> drop  role role_test1;  
hive> show roles;  
OK  
admin  
public  
role_test2

Grant/Revoke Roles

SHOW GRANT principal_specification  
[ON object_specification [(column_list)]]  
   
principal_specification:  
    USER user  
  | GROUP group  
  | ROLE role  
   
object_specification:  
    TABLE tbl_name  
  | DATABASE db_name  
  
eg:GRANT UPDATE  ON table test to user hive;
    hive> GRANT UPDATE  ON table test to user hive;  
    FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied: Principal [name=hive, type=USER] does not have following privileges for operation GRANT_PRIVILEGE [[UPDATE with grant] on Object [type=TABLE_OR_VIEW, name=default.test]]  
    hive> set role admin;  
    OK  
    Time taken: 0.037 seconds  
    hive> show current roles;  
    OK  
    admin  
    Time taken: 0.13 seconds, Fetched: 1 row(s)  
    hive> GRANT UPDATE  ON table test to user hive;  
    OK  
    Time taken: 1.006 seconds  
    hive> alter table test rename to test01;  
    FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unable to alter table. No privilege 'Alter' found for outputs { database:default, table:test}  
    hive> create database test02;  
    FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. MetaException(message:No privilege 'Create' found for outputs { database:test02})  
这个不明白,为什么不能正常的授权??  
0: jdbc:hive2://XXXX:10000> GRANT select ON DATABASE test TO USER hive;  
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error getting object from metastore for Object [type=DATABASE, name=test] (state=08S01,code=1)
    <pre name="code" class="plain">hive> GRANT SELECT ON TABLE test TO USER hive;  
    FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied: Principal [name=hive, type=USER] does not have following privileges for operation GRANT_PRIVILEGE [[SELECT with grant] on Object [type=TABLE_OR_VIEW, name=default.test]]  
    hive> set role admin;  
    OK  
    Time taken: 0.06 seconds  
    hive> GRANT SELECT ON TABLE test TO USER hive;  
    OK  
    Time taken: 0.566 seconds  
    hive> GRANT ALL ON TABLE test TO USER hive; #######这里不明白#######  
    FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error granting privileges: null   
    hive> revoke insert on table test_hive from user hive;  
    OK  
    Time taken: 0.191 seconds  
    hive> show grant user hive on table test_hive;  
    OK  
    default    test_hive            hive    USER    DELETE    true    1467708923000    hive  
    default    test_hive            hive    USER    SELECT    true    1467708923000    hive  
    default    test_hive            hive    USER    UPDATE    true    1467708923000    hive  
    Time taken: 0.031 seconds, Fetched: 3 row(s)  
    hive> insert into test_hive values(5,"rows5");  
    Query ID = hive_20160707015802_fadf5833-7367-4538-b2a9-71230cd10efd  
    Total jobs = 1  
    Launching Job 1 out of 1  
    Tez session was closed. Reopening...  
    Session re-established.  
      
      
    Status: Running (Executing on YARN cluster with App id application_1467857886938_0008)  
      
    --------------------------------------------------------------------------------  
            VERTICES      STATUS  TOTAL  COMPLETED  RUNNING  PENDING  FAILED  KILLED  
    --------------------------------------------------------------------------------  
    Map 1 ..........   SUCCEEDED      1          1        0        0       0       0  
    --------------------------------------------------------------------------------  
    VERTICES: 01/01  [==========================>>] 100%  ELAPSED TIME: 56.18 s      
    --------------------------------------------------------------------------------  
    Loading data to table default.test_hive  
    Failed with exception Unable to alter table. No privilege 'Alter' found for outputs { database:default, table:test_hive}  
    FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.MoveTask  
    hivemetastore.log报错  
    2016-07-06 23:46:52,613 ERROR [pool-3-thread-161]: metastore.RetryingHMSHandler (RetryingHMSHandler.java:invoke(159)) - MetaException(message:No privilege 'Alter' found for outputs { database:default, table:test}) at org.apache.hadoop.hive.metastore.HiveMetaStore$HMSHandler.firePreEvent(HiveMetaStore.java:2026)  

一个很常见的错误:

[root@l1035lab ~]# hive
Logging initialized using configuration in file:/etc/hive/conf/hive-log4j.properties
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/hdp/2.2.4.2-2/hadoop/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/hdp/2.2.4.2-2/hive/lib/hive-jdbc-0.14.0.2.2.4.2-2-standalone.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
Exception in thread "main" java.lang.RuntimeException: org.apache.hadoop.security.AccessControlException:
Permission denied: user=root, access=WRITE, inode="/user":hdfs:hdfs:drwxr-xr-x
        at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkFsPermission(FSPermissionChecker.java:271)
        at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:257)
        at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:238)
        at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:179)
    解决办法:You need to have a user home directory on HDFS. Log as the HDFS user and create a home dir for root.  
    # su  hdfs  
    $ hdfs dfs -mkdir /user/root  
    $ hdfs dfs -chown root:root /user/root  
    如果已经有了/user/root ,查看下文件的权限  
    [root@ambari-2 ~]# hdfs dfs -ls /user  
    Found 6 items  
    drwxrwx---   - ambari-qa hdfs          0 2016-07-01 04:56 /user/ambari-qa  
    drwxr-xr-x   - hcat      hdfs          0 2016-06-29 00:13 /user/hcat  
    drwxr-xr-x   - hdfs      hdfs          0 2016-06-30 18:26 /user/hdfs  
    drwxr-xr-x   - hive      hdfs          0 2016-07-05 04:21 /user/hive  
    drwxr-xr-x   - root      root          0 2016-07-05 02:07 /user/root  
    drwxr-xr-x   - tom       tom           0 2016-07-06 20:20 /user/tom  

参考文献:

https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization#LanguageManualAuthorization-1StorageBasedAuthorizationintheMetastoreServer

http://m.blog.csdn.net/article/details?id=51312153

http://hadooptutorial.info/hive-authorization-models-and-hive-security/

http://www.cnblogs.com/yurunmiao/p/4441735.html

点击打开链接











  • 1
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值