CDH启用 sentry

CDH启用sentry

---

CDH集群启用sentry步骤和测试。

CDH启用sentry

CDH中添加sentry服务后，按照Configuring the Sentry Service一步步进行来配置sentry服务。

Before Enabling the Sentry Service

1. 设置 hive.metastore.warehouse.dir 配置项(默认路径是/user/hive/warehouse)的权限和owner。

$ hdfs dfs -chmod -R 771 /user/hive/warehouse
$ hdfs dfs -chown -R hive:hive /user/hive/warehouse

如果已经启用了kerberos，需要 kinit -k -t hdfs.keytab hdfs。

1. Disable impersonation for HiveServer2
   配置项: hive – HiveServer2 Enable Impersonation
2. Enable the Hive user to submit YARN jobs
   Ensure the Allowed System Users property includes the hive user. If not, add hive.
   配置项: yarn – allowed.system.users
   

   Important: Ensure you have unchecked the Enable Sentry Authorization using Policy Files configuration property for both Hive and Impala under the Policy File Based Sentry category before you proceed.

Enabling the Sentry Service for Hive

1. 修改hive配置项 Sentry Service，选择”Sentry”
2. 取消选中 hive.server2.enable.impersonation

Enabling the Sentry Service for Impala

修改impala配置项Sentry Service，选择”Sentry”

Enabling the Sentry Service for Hue

修改hue配置项Sentry Service，选择”Sentry”

Important:

When Sentry is enabled, you must use Beeline to execute Hive queries. Hive CLI is not supported with Sentry and must be disabled as described here.
When Sentry is enabled, a user with no privileges on a database will not be allowed to connect to HiveServer2. This is because the use command is now executed as part of the connection to HiveServer2, which is why the connection fails. See HIVE-4256.

配置hive with sentry http://www.cloudera.com/documentation/enterprise/5-4-x/topics/sg_hive_sql.html **如果启用了kerbreos** 启用kerberos后，使用下面命令进入beeline进行设置

$ kinit -k -t hive.keytab hive
$ beeline -u "jdbc:hive2://vlnx107011:10000/default;principal=hive/vlnx107011@HADOOP.COM"
如果未启用kerberos

在hive配置sentry-site.xml 的 Hive 服务高级配置代码段（安全阀）中添加

<property>
    <name>sentry.hive.testing.mode</name>
    <value>true</value>
</property>

可以使用beeline -u “jdbc:hive2://vlnx107011:10000/” -n 进行设置，其中admin用户在sentry的sentry.service.admin.group中配置。 **Important: 用户和组使用的是Linux机器上的用户和组，而角色必须自己创建。**

配置HDFS with sentry

参考http://www.cloudera.com/documentation/enterprise/5-4-x/topics/sg_hdfs_sentry_sync.html 关于hdfs acl，参考http://www.cloudera.com/documentation/enterprise/5-4-x/topics/cdh_sg_hdfs_ext_acls.html

1. hdfs acl
2. 启用Sentry同步
3. 检查HDFS权限，dfs.permissions。
4. 设置Sentry同步路径前缀, sentry.hdfs.integration.path.prefixes，可以多个。

Sentry-HDFS authorization is focused on Hive warehouse data - that is, any data that is part of a table in Hive or Impala. The real objective of this integration is to expand the same authorization checks to Hive warehouse data being accessed from any other components such as Pig, MapReduce or Spark. At this point, this feature does not replace HDFS ACLs. Tables that are not associated with Sentry will retain their old ACLs.

存在哪些问题:

1. sentry.hdfs.integration.path.prefixes 更改需要重启hdfs
2. 启用后hdfs acl失效
3. hdfs uri不能自动统一成标准格式。/facishare-data/, hdfs:///facishare-data/, hdfs://nameservice1/facishare-data/, hdfs://nameservice1:8020/facishare-data/在sentry的理解中是不同的路径。

hue中进行sentry配置

http://gethue.com/apache-sentry-made-easy-with-the-new-hue-security-app/#howto
在ldap中新建了服务账号，用于在hue中对sentry进行设置

1. 在所有机器上同步此账号和组
2. 在sentry中将此账号组加入到管理员组sentry.service.admin.group中
3. hue中新建hive组，并将此账号加入到hive组

Hive SQL Syntax for Use with Sentry

创建和删除角色

1. 创建角色: create role ROLE_NAME
2. 删除角色: droop role ROLE_NAME

角色的授权和撤销

角色的授权(GRANT)就是给角色授予创建表、查询表等操作，撤销(REVOKE)反之。语法如下：

GRANT ROLE role_name [, role_name] TO GROUP <groupName> [,GROUP <groupName>]
REVOKE ROLE role_name [, role_name] FROM GROUP <groupName> [,GROUP <groupName>]

权限的授予和撤销

GRANT <PRIVILEGE> [, <PRIVILEGE> ] ON <OBJECT> <object_name> TO ROLE <roleName> [,ROLE <roleName>]
REVOKE <PRIVILEGE> [, <PRIVILEGE> ] ON <OBJECT> <object_name> FROM ROLE <roleName> [,ROLE <roleName>]

查看角色/组权限

SHOW ROLES;
SHOW CURRENT ROLES;
SHOW ROLE GRANT GROUP <groupName>;
SHOW GRANT ROLE <roleName>;
SHOW GRANT ROLE <roleName> on OBJECT <objectName>;

示例：

把role_test1角色授权给test组: grant role role_test1 to group test
查看test组被授权的角色: show role grant group test
取消test组的role_test1角色: revoke role role_test1 from group test

Grant privileges to analyst_role:

CREATE ROLE analyst_role;
GRANT ALL ON DATABASE analyst1 TO ROLE analyst_role;
GRANT SELECT ON DATABASE jranalyst1 TO ROLE analyst_role;
GRANT ALL ON URI 'hdfs://ha-nn-uri/landing/analyst1' TO ROLE analyst_role;

Grant privileges to junior_analyst_role:

CREATE ROLE junior_analyst_role;
GRANT ALL ON DATABASE jranalyst1 TO ROLE junior_analyst_role;
GRANT ALL ON URI 'hdfs://ha-nn-uri/landing/jranalyst1' TO ROLE junior_analyst_role;
grant all on database test to role admin_role with grant option;

Grant privileges to admin_role:

CREATE ROLE admin_role
GRANT ALL ON SERVER server TO ROLE admin_role;

Grant roles to groups:

GRANT ROLE admin_role TO GROUP admin;
GRANT ROLE analyst_role TO GROUP analyst;
GRANT ROLE jranalyst_role TO GROUP jranalyst;

转载：http://wzktravel.github.io/2016/02/25/Enabling-sentry-in-CDH/