使用ranger对hbase进行鉴权
本文使用ranger安全框架对hbase进行权限管理,可以对hbase的table(namespace)、column-family、column设置权限。Hbase版本为1.1.3,Ranger版本为0.5.3.
Hbase完全分布式安装
Ranger-hbase-plugin-0.5.3安装
hbase鉴权测试
Hbase完全分布式安装
本文是将Hbase安装在单节点上。
1、zookeeper安装
由于hbase依赖于zookeeper,这里使用独立的zookeeper,首先安装zookeeper。解压zookeeper 的tar包,配置zoo.cfg文件,具体配置如下:
# The number of milliseconds of each tick
tickTime=2000
# The number of ticks that the initial
# synchronization phase can take
initLimit=10
# The number of ticks that can pass between
# sending a request and getting an acknowledgement
syncLimit=5
# the directory where the snapshot is stored.
# do not use /tmp for storage, /tmp here is just
# example sakes.
dataDir=/tmp/zookeeper
# the port at which the clients will connect
clientPort=2181
#
# Be sure to read the maintenance section of the
# administrator guide before turning on autopurge.
#
# http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_maintenance
启动zookeeper: ./zkServer.sh start
查看进程执行 jps
2404 QuorumPeerMain
2、hbase安装
2.1 解压hbase tar包
2.2 修改配置文件hbase-site.xml
<configuration>
<property>
<name>hbase.rootdir</name>
<value>hdfs://xhhtest:8020/hbase113</value>
</property>
<property>
<name>hbase.cluster.distributed</name>
<value>true</value>
</property>
<property>
<name>hbase.zookeeper.quorum</name>
<value>xhhtest:2181</value>
</property>
</configuration>
2.3 启动hbase
./start-hbase.sh
2.4 查看进程 jps
Ranger-hbase-plugin-0.5.3安装
1、解压包:tar –zxvf ranger-0.5.3-hbase-plugin.tar.gz
2、修改install.properties文件
POLICY_MGR_URL=http://xhhtest:6080 (Ranger-admin 访问地址)
REPOSITORY_NAME=hbasedev (服务名称)
XAAUDIT.DB.IS_ENABLED=true
XAAUDIT.DB.FLAVOUR=MYSQL
XAAUDIT.DB.HOSTNAME= xhhtest
XAAUDIT.DB.DATABASE_NAME=ranger_audit
XAAUDIT.DB.USER_NAME=root
XAAUDIT.DB.PASSWORD=123456
3、添加软连接
假设hbase-1.1.3 安装目录为:/usr/local/ hbase-1.1.3
ranger-0.5.3-hbase-plugin 安装目录为:/usr/local/ranger-0.5.3-hbase-plugin
则执行:
ln -s /usr/local/hbase-1.1.3/conf/ /usr/local/hbase
ln -s /usr/local/hbase-1.1.3/lib/ /usr/local/hbase
4、执行 ./enable-hbase-plugin.sh
之所以执行软连接,是因为执行此脚本时需要知道hbase-1.1.3的conf 和lib所在位置。
5、重启hbase服务
hbase鉴权测试
1、在ranger-admin界面添加hbase service
2、查看插件是否成功
3、测试
(1)用root用户执行 ./hbase shell 进入hbase,创建表user
create 'user','info'
(2)用lisi用户执行 ./hbase shell 进入hbase,查看表user
scan 'user'
报权限错误如下:
hbase(main):001:0> scan 'user'
ROW COLUMN+CELL
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘lisi',action: scannerOpen, tableName:user, family:info.
Here is some help for this command:
Scan a table; pass table name and optionally a dictionary of scanner
specifications. Scanner specifications may include one or more of:
TIMERANGE, FILTER, LIMIT, STARTROW, STOPROW, ROWPREFIXFILTER, TIMESTAMP,
MAXLENGTH or COLUMNS, CACHE or RAW, VERSIONS
If no columns are specified, all columns will be scanned.
To scan all members of a column family, leave the qualifier empty as in
'col_family'.
The filter can be specified in two ways:
1. Using a filterString - more information on this is available in the
Filter Language document attached to the HBASE-4176 JIRA
2. Using the entire package name of the filter.
(3)设置policy,增加权限
再次执行ok.
总结
本文讲述了ranger鉴权hbase的过程,从安装部署、测试两个方面进行了阐述。