一、实践心得
领导说公司集群的hive要进行权限管理,然后身为底层码农的我就开始找资料进行配置实践,关于这方面的资料也不少,
主要参考这个连接,里面说得也挺详细的。http://www.aboutyun.com/thread-12549-1-1.html
总结如下:
1、若赋予用户某个表的权限,查用户在该表所属数据库的权限,是查询不出来的,要指定到那张表
2、若要赋予用户db1数据库下的t1表权限,首先要在执行 use db1;
3、编写钩子函数时,经过我自己的测试,这边是hive0.13版本,感觉非超级管理员的grant、revoke控制不了,而create role r_name是可以控制,证明该控制类是起作用的,不知道是HiveParser.TOK_XXXX有遗漏还是其他问题,或者可以直接用ast.getToken().getText()与"TOK_CREATEROLE"字符匹配,这样是没问题。
4、以上的hive权限控制,只适合于hive cli控制权限,若用jdbc、thrift接口或hue查询页面是不能起到权限控制的,所以不是完全安全的,只是用来防止用户不小心做了不适合的事情,而不是防止坏人干坏事的。
5、倘若想更好更安全控制hive权限,可以使用Kerberos认证,听说Kerberos很强大,并且可以管理hdfs与hbase等。
简单归纳如下,方便以后查询,主要分两步,第一,修改配置文件;第二,熟悉授权语法。
二、修改配置文件
1、修改hive-site.xml
<!--参数调优-->
<property>
<name>hive.exec.parallel</name>
<value>true</value>
<description>Whether to execute jobs in parallel</description>
</property>
<property>
<name>hive.exec.parallel.thread.number</name>
<value>16</value>
<description>How many jobs at most can be executed in parallel</description>
</property>
<!-- 权限配置-->
<!-- 开启hive cli的控制权限 -->
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
<description>enable or disable the hive clientauthorization</description>
</property>
<!-- 定义表创建者的权限 -->
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
<description>
the privileges automatically granted to the owner whenever a table gets created.
</description>
</property>
<!-- 在做类似drop partition操作时,metastore是否要认证权限,默认是false -->
<property>
<name>hive.metastore.authorization.storage.checks</name>
<value>true</value>
<description>
Should the metastore do authorization checks against
the underlying storage for operations like drop-partition (disallow
the drop-partition if the user in question doesn't have permissions
to delete the corresponding directory on the storage).
</description>
</property>
<!-- 非安全模式,设置为true会令metastore以客户端的用户和组权限执行DFS操作,默认是false,这个属性需要服务端和客户端同时设置 -->
<property>
<name>hive.metastore.execute.setugi</name>
<value>false</value>
<description>
In unsecure mode, setting this property to true will cause the metastore to execute DFS operations using the client's reported user
and group permissions. Note that this property must be set on both the client
and server sides. Further note that its best effort. If client sets its to true and server sets it to false, client setting will be ignored.
</description>
</property>
<!-- 配置超级管理员,需要自定义控制类继承这个AbstractSemanticAnalyzerHook-->
<property>
<name>hive.semantic.analyzer.hook</name>
<value>com.kent.test.AuthorityHook</value>
</property>
<!-- 假如出现以下错误:
Error while compiling statement: FAILED: SemanticException The current builtin authorization in Hive is incomplete and disabled.
需要配置下面的属性 -->
<property>
<name>hive.security.authorization.task.factory</name>
<value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
</property>
2、自定义控制类(继承AbstractSemanticAnalyzerHook)
package com.kent.test;
import org.apache.hadoop.hive.ql.parse.ASTNode;
import org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook;
import org.apache.hadoop.hive.ql.parse.HiveParser;
import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.session.SessionState;
public class AuthorityHook extends AbstractSemanticAnalyzerHook {
private static String[] admin = {"admin", "root"};
@Override
public ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context,ASTNode ast) throws SemanticException {
switch (ast.getToken().getType()) {
case HiveParser.TOK_CREATEDATABASE:
case HiveParser.TOK_DROPDATABASE:
case HiveParser.TOK_CREATEROLE:
case HiveParser.TOK_DROPROLE:
case HiveParser.TOK_GRANT:
case HiveParser.TOK_REVOKE:
case HiveParser.TOK_GRANT_ROLE:
case HiveParser.TOK_REVOKE_ROLE:
String userName = null;
if (SessionState.get() != null&&SessionState.get().getAuthenticator() != null){
userName=SessionState.get().getAuthenticator().getUserName();
}
if (!admin[0].equalsIgnoreCase(userName) && !admin[1].equalsIgnoreCase(userName)) {
throw new SemanticException(userName + " can't use ADMIN options, except "
+ admin[0]+","+admin[1] +".");
}
break;
default:
break;
}
return ast;
}
public static void main(String[] args) throws SemanticException {
String[] admin = {"admin", "root"};
String userName = "root";
for(String tmp: admin){
System.out.println(tmp);
if (!tmp.equalsIgnoreCase(userName)) {
throw new SemanticException(userName + " can't use ADMIN options, except "
+ admin[0]+","+admin[1] +".");
}
}
}
}
三、权限控制语法
1、角色权限控制
--创建和删除角色
create role role_name;
drop role role_name;
--展示所有roles
show roles
--赋予角色权限
grant select on database db_name to role role_name;
grant select on [table] t_name to role role_name;
--查看角色权限
show grant role role_name on database db_name;
show grant role role_name on [table] t_name;
--角色赋予用户
grant role role_name to user user_name
--回收角色权限
revoke select on database db_name from role role_name;
revoke select on [table] t_name from role role_name;
--查看某个用户所有角色
show role grant user user_name;
2、用户角色控制
1)权限控制表
操作(opera) 解释
ALL 所有权限
ALTER 允许修改元数据(modify metadata data of object)---表信息数据
UPDATE 允许修改物理数据(modify physical data of object)---实际数据
CREATE 允许进行Create操作
DROP 允许进行DROP操作
INDEX 允许建索引(目前还没有实现)
LOCK 当出现并发的使用允许用户进行LOCK和UNLOCK操作
SELECT 允许用户进行SELECT操作
SHOW_DATABASE 允许用户查看可用的数据库
2)语法
--赋予用户权限
grant opera on database db_name to user user_name;
grant opera on [table] t_name to user user_name;
--回收用户权限
revoke opera on database db_name from user user_name;
--查看用户权限
show grant user user_name on database db_name;
show grant user user_name on [table] t_name;