Apache Sentry 是一个用于认证元数据的RPC服务,它将数据存储在关系型数据库中并提供接口进行权限操作。Sentry Service通过数据库存储权限信息,支持Kerberos安全访问。早期版本使用policy file,后续版本采用数据库存储。Sentry基于角色的权限模型允许细粒度的访问控制,如列级别权限,并支持多种操作如INSERT, SELECT, UPDATE等。在Hive和Impala中,Sentry控制了各种数据库和表的操作权限。用户可通过Beeline执行查询以利用Sentry服务。"
53483411,5769352,使用Transition实现Drawable的渐变动画,"['Android', '动画', 'UI设计', '图形处理', '布局']
Sentry是一个RPC服务,将认证元数据信息存储在关系型数据库,并提供RPC接口检索和操作权限。利用Kerveros支持安全访问。Sentry Service通过后台数据库存储提供认证元数据信息,不处理真实的权限验证,当Hive,Impala等服务的配置使用Sentry权限的时候,Hive,Impala只作为Sentry的client。
最早的Sentry是使用policy file配置权限,逐渐版本升级过程中,目前采用关系型数据库存储权限角色等。使用新的Sentry服务相比于旧的policy file能够更容易处理用户权限,新的Sentry服务提供了更传统的 GRANT/REVOKE语句修改权限。
早版本Sentry中的策略文件policy file:[groups]
manager = customers_insert_role,
customers_select_role
analyst = customers_select_role
[roles]
customers_insert_role = server=server1->db=customers->table=*->action=insert
customers_select_role = server=server1->db=customers->table=*->action=select
Sentry历史版本功能:Sentry with policy files is added in CDH 5.1.0.
Sentry with config support is added in CDH 5.5.0.
Sentry with database-backed Sentry service is added with CDH 5.8.0.
Sentry中基础名词:
1.object Sentry认证规则所保护的一个对象,包括 server, database, table, URI, collection, and config
2.role 访问给定object的规则集合
3.privilege 包括insert select update等
4.user 来自于能够访问Sentry服务的一个认证系统用户,user可以是Kerberos的principal, LDAP的userid,或其他认证系统的标识
5.group 组,一个或者多个用户的集合,Sentry中将role分配给group,一个组就相应担当某个角色
6.A configured group provider determines a user’s affiliation with a group. The current release supports HDFS-backed groups and locally configured groups.PrivilegeObject
INSERTDB, TABLE
SELECTSERVER, DB, TABLE, COLUMN
UPDATECOLLECTION, CONFIG
QUERYCOLLECTION, CONFIG
ALLSERVER, TABLE, DB, URI, COLLECTION, CONFIG
Sentry权限模型:
Sentry使用基于角色权限模型,有如下特征
1、允许所有用户执行show functions,show locks等
2、允许用户看到那些有权限的tables,databases,collections,configs等
3、HiveQL执行例如LOAD,IMPORT等操作,需要用户有相应URI的权限
4、赋予一个URI某个权限,其子目录也递归赋予这个权限,所以只需将权限grant给一个父目录
5、CDH 5.5引入Column级别的访问控制,之前版本的如果要控制到列级别访问,使用View,创建一个只包含有访问权限Column的View
Tips
Hive中使用Sentry的时候,必须使用Beeline方式执行查询,Hive Cli方式不支持Sentry
Hive On Sentry中Object层级结构关系
权限能够赋予层级中的不同的object,一个权限如果赋予层级中一个object,则这个object子层级中的object继承这个权限。
比如赋予DATABASE的SELECT权限给用户A,则用户A拥有DATABASE下所有Object的SELECT权限
权限类型和Object的对应关系PrivilegeObject
INSERTDB, TABLE
SELECTDB, TABLE, VIEW, COLUMN
ALLSERVER, TABLE, DB, URI
权限层级Base ObjectGranular privileges on objectContainer object that contains the base objectPrivileges on container object that implies privileges on the base object
DATABASEALLSERVERALL
TABLEINSERTDATABASEALL
TABLESELECTDATABASEALL
COLUMNSELECTDATABASEALL
VIEWSELECTDATABASEALL
Hive&Impala操作权限表OperationScopePrivileges RequiredURI
CREATE DATABASESERVERALL
DROP DATABASEDATABASEALL
CREATE TABLEDATABASEALL
DROP TABLETABLEALL
CREATE VIEW-This operation is allowed if you have column-level SELECTaccess to the columns being used.DATABASE; SELECT on TABLE;ALL
ALTER VIEW-This operation is allowed if you have column-level SELECTaccess to the columns being used.VIEW/TABLEALL
DROP VIEWVIEW/TABLEALL
ALTER TABLE .. ADD COLUMNSTABLEALL
ALTER TABLE .. REPLACE COLUMNSTABLEALL
ALTER TABLE .. CHANGE columnTABLEALL
ALTER TABLE .. RENAMETABLEALL
ALTER TABLE .. SET TBLPROPERTIESTABLEALL
ALTER TABLE .. SET FILEFORMATTABLEALL
ALTER TABLE .. SET LOCATIONTABLEALLURI
ALTER TABLE .. ADD PARTITIONTABLEALL
ALTER TABLE .. ADD PARTITION locationTABLEALLURI
ALTER TABLE .. DROP PARTITIONTABLEALL
ALTER TABLE .. PARTITION SET FILEFORMATTABLEALL
SHOW CREATE TABLETABLESELECT/INSERT
SHOW PARTITIONSTABLESELECT/INSERT
SHOW TABLES-Output includes all the tables for which the user has table-level privileges and all the tables for which the user has some column-level privileges.TABLESELECT/INSERT
SHOW GRANT ROLE-Output includes an additional field for any column-level privileges.TABLESELECT/INSERT
DESCRIBE TABLE-Output shows all columns if the user has table level-privileges or SELECT privilege on at least one table columnTABLESELECT/INSERT
LOAD DATATABLEINSERTURI
SELECT-You can grant the SELECT privilege on a view to give users access to specific columns of a table they do not otherwise have access to.
-See Column-level Authorization for details on allowed column-level operations.VIEW/TABLE; COLUMNSELECT
INSERT OVERWRITE TABLETABLEINSERT
CREATE TABLE .. AS SELECT-This operation is allowed if you have column-level SELECTaccess to the columns being used.DATABASE; SELECT on TABLEALL
USE Any
CREATE FUNCTIONSERVERALL
ALTER TABLE .. SET SERDEPROPERTIESTABLEALL
ALTER TABLE .. PARTITION SET SERDEPROPERTIESTABLEALL
Hive-Only Operations
INSERT OVERWRITE DIRECTORYTABLEINSERTURI
Analyze TABLETABLESELECT + INSERT
IMPORT TABLEDATABASEALLURI
EXPORT TABLETABLESELECTURI
ALTER TABLE TOUCHTABLEALL
ALTER TABLE TOUCH PARTITIONTABLEALL
ALTER TABLE .. CLUSTERED BY SORTED BYTABLEALL
ALTER TABLE .. ENABLE/DISABLETABLEALL
ALTER TABLE .. PARTITION ENABLE/DISABLETABLEALL
ALTER TABLE .. PARTITION.. RENAME TO PARTITIONTABLEALL
MSCK REPAIR TABLETABLEALL
ALTER DATABASEDATABASEALL
DESCRIBE DATABASEDATABASESELECT/INSERT
SHOW COLUMNS-Output for this operation filters columns to which the user does not have explicit SELECT accessTABLESELECT/INSERT
CREATE INDEXTABLEALL
DROP INDEXTABLEALL
SHOW INDEXESTABLESELECT/INSERT
GRANT PRIVILEGEAllowed only for Sentry admin users
REVOKE PRIVILEGEAllowed only for Sentry admin users
SHOW GRANTAllowed only for Sentry admin users
SHOW TBLPROPERTIESTABLESELECT/INSERT
DESCRIBE TABLE .. PARTITIONTABLESELECT/INSERT
ADD JARNot Allowed
ADD FILENot Allowed
DFSNot Allowed
Impala-Only Operations
EXPLAINTABLE; COLUMNSELECT
INVALIDATE METADATASERVERALL
INVALIDATE METADATA
REFRESH
DROP FUNCTIONSERVERALL
COMPUTE STATSTABLEALL
通过HUE管理Sentry:http://10120275.blog.51cto.com/10110275/1956777
扫一扫
7629
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
