#Hive设置超级用户
参考博客:Hive权限控制和超级管理员的实现_静下心来好好学习-CSDN博客
为了使用Hive的授权机制,有两个参数必须在hive-site.xml中设置:
<property>
<name>hive.metastore.authorization.storage.checks</name>
<value>true</value>
</property>
<property>
<name>hive.metastore.execute.setugi</name>
<value>false</value>
</property>
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
</property>
3、4含义分别是开启权限验证;表的创建者对表拥有所有权限
hive.security.authorization.createtable.owner.grants默认值为NULL,所以表的创建者无法访问该表,这明显是不合理的。
编写程序
1) 创建maven项目
2)创建HiveAdmin类,继承Hook基类
Q:AbstractSemanticAnalyzerHook类的作用?
3)定义超级管理员组
4)重写Hook基类中的preAnalyze(HiveSemanticAnalyzerHookContext context, ASTNode ast)方法
ASTNode对象:hive命令解析生成的语法树
Q:preAnalyze(HiveSemanticAnalyzerHookContext context, ASTNode ast)方法的作用?
5)获取hive执行的命令
6)从SessionState里获取username
7)判断是否为超级管理员
8)不是则抛出异常和提示
Q:SemanticException()的作用?
程序代码如下:
package com.imooc.hive.security;
import com.google.common.base.Joiner;
import org.apache.hadoop.hive.ql.parse.*;
import org.apache.hadoop.hive.ql.session.SessionState;
public class HiveAdmin extends AbstractSemanticAnalyzerHook {
private static String[] admins = {"hadoop"};
@Override
public ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context, ASTNode ast) throws SemanticException {
switch (ast.getToken().getType()){ //获取hive执行的命令
case HiveParser.TOK_CREATEDATABASE:
case HiveParser.TOK_DROPDATABASE:
case HiveParser.TOK_CREATEROLE:
case HiveParser.TOK_DROPROLE:
case HiveParser.TOK_GRANT:
case HiveParser.TOK_REVOKE:
case HiveParser.TOK_GRANT_ROLE:
case HiveParser.TOK_REVOKE_ROLE:
case HiveParser.TOK_CREATETABLE:
String username = null; //从SessionState里获取username
if (SessionState.get() != null && SessionState.get().getAuthenticator().getUserName() != null) {
username = SessionState.get().getAuthenticator().getUserName();
}
boolean isAdmin = false;
for (String admin : admins) { //判断是否为超级管理员
if (admin.equalsIgnoreCase(username)) {
isAdmin = true;
break;
}
}
if (!isAdmin) { //不是则抛出异常和提示
throw new SemanticException(username + "is not admin,expect" + Joiner.on(",").join(admins));
}
break;
default:
break;
}
return ast;
}
}
pom.xml中加入依赖:
<dependencies>
<!-- https://mvnrepository.com/artifact/org.apache.hive/hive-exec -->
<dependency>
<groupId>org.apache.hive</groupId>
<artifactId>hive-exec</artifactId>
<version>3.1.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-client -->
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-client</artifactId>
<version>3.3.0</version>
</dependency>
</dependencies>
使用如下命令 在终端将程序编译打包成jar
mvn clean install
包名:udf-test-1.0-SNAPSHOT.jar
将jar包移到soft 目录和hive/lib目录下
给lib目录下的jar包赋予hadoop用户权限
sudo chown hadoop. udf-test-1.0-SNAPSHOT.jar
#修改hive-site.xml配置
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration>
<property>
<name>javax.jdo.option.ConnectionURL</name>
<value>jdbc:mysql://localhost:3306/metastore?createDatabaseIfNotExist=true</value>
<description>the URL of the MySQL database</description>
</property>
<property>
<name>javax.jdo.option.ConnectionDriverName</name>
<value>com.mysql.jdbc.Driver</value>
<description>Driver classname for a JDBC meta store</description>
</property>
<property>
<name>javax.jdo.option.ConnectionUserName</name>
<value>hive</value>
</property>
<property>
<name>javax.jdo.option.ConnectionPassword</name>
<value>hive</value>
</property>
<property>
<name>hive.metastore.warehouse.dir</name>
<value>/hive/warehouse</value>
</property>
<property>
<name>hive.exec.scratchdir</name>
<value>/hive/tmp</value>
</property>
<property>
<name>hive.querylog.location</name>
<value>/hive/log</value>
</property>
<property>
<name>hive.users.in.admin.role</name>
<value>hadoop</value>
</property>
<property>
<name>hive.metastore.authorization.storage.checks</name>
<value>true</value>
</property>
<property>
<name>hive.metastore.execute.setugi</name>
<value>false</value>
</property>
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
</property>
<property>
<name>hive.security.authorization.task.factory</name>
<value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
</property>
<property>
<name>hive.semantic.analyzer.hook</name>
<value>com.imooc.hive.security.HiveAdmin</value>
</property>
</configuration>
Q:文件中每一项属性的含义?
#重启metastore service
kill相关进程,再启动(hive --service metastore &)
#进入hive,执行show roles;
#kerberros认证
参考博客 Kerberos认证简介_Java大饭桶的博客-CSDN博客
#Apache Ranger 权限管理工具
参考博客 Apache Ranger简介_Java大饭桶的博客-CSDN博客_apache ranger百度百科
#Apache Ranger安装及部署
#