Impala配置Kerberos认证和Sentry权限控制
集群说明:
集群有wlint01、wlnamenode01、wldatanode001~wldatanode018一共20个节点,
对应ip地址 192.168.32.9~192.168.32.28
1.生成keytab文件
生成http.keytab文件
[wlbd@wlint01 keytabFile]$ sudo kadmin.local -q "xst -norandkey -k http.keytab HTTP/wlint01@HXDI.COM"
[wlbd@wlint01 keytabFile]$ sudo kadmin.local -q "xst -norandkey -k http.keytab HTTP/wlnamenode01@HXDI.COM"
[wlbd@wlint01 keytabFile]$ for i in {1..9}; do sudo kadmin.local -q "xst -norandkey -k http.keytab HTTP/wldatanode00$i@HXDI.COM"; done
[wlbd@wlint01 keytabFile]$ for i in {0..8}; do sudo kadmin.local -q "xst -norandkey -k http.keytab HTTP/wldatanode01$i@HXDI.COM"; done生成impala-unmerge.keytab文件
[wlbd@wlint01 keytabFile]$ sudo kadmin.local -q "xst -norandkey -k impala-unmerge.keytab impala/wlint01@HXDI.COM"
[wlbd@wlint01 keytabFile]$ sudo kadmin.local -q "xst -norandkey -k impala-unmerge.keytab impala/wlnamenode01@HXDI.COM"
[wlbd@wlint01 keytabFile]$ for i in {1..9}; do sudo kadmin.local -q "xst -norandkey -k impala-unmerge.keytab impala/wldatanode00$i@HXDI.COM"; done
[wlbd@wlint01 keytabFile]$ for i in {0..8}; do sudo kadmin.local -q "xst -norandkey -k impala-unmerge.keytab impala/wldatanode01$i@HXDI.COM"; done将impala-unmerge.keytab和http.keytab合并成impala.keytab
[wlbd@wlint01 keytabFile]$ ktutil
ktutil: rkt http.keytab
ktutil: rkt impala-unmerge.keytab
ktutil: wkt impala.keytab
ktutil: quit测试合并的impala.keytab文件中的凭据是否有效
[wlbd@wlint01 keytabFile]$ klist -kte impala.keytab将impala.keytab拷贝到每个节点的/etc/impala/conf下,并更改权限
cp impala.keytab /etc/impala/conf/
cd /etc/impala/conf/
chmod 400 impala.keytab
chown impala:impala impala.keytab拷贝到每个节点可以用批处理进行
for i in {10..28}; do scp impala.keytab 192.168.32.$i:/etc/impala/conf/; ssh 192.168.32.$i; "cd /etc/impala/conf/; chmod 400 impala.keytab; chown impala:impala impala.keytab; exit"; done接着,去到Cloudera Manager管理界面去修改Impala配置:Impala -> 配置 –> (类别)高级–>Impala Daemon 命令行参数高级配置代码段(安全阀)
添加下面内容:
IMPALA_CATALOG_ARGS="-kerberos_reinit_interval=60"
IMPALA_SERVER_ARGS="-server_name=server1 -principal=impala/[email protected]"
IMPALA_STATE_STORE_ARGS ="-keytab_file=/etc/impala/conf/impala.keytab"
重启过期配置
测试
在Kerberos数据库中创建一个用户,并生成该用户的keytab文件
[wlbd@wlint01 ~]$ sudo kadmin.local -q "addprinc -randkey user1@HXDI.COM"
[wlbd@wlint01 ~]$ sudo kadmin.local -q "xst -norandkey -k user1.keytab user1@HXDI.COM"
[wlbd@wlint01 ~]$ kinit -kt user1.keytab user1@HXDI.COM重启Impala之后,在Impala组件页面点击”状态”,会显示进入impala-shell的命令:
impala-shell -i wldatanode004 -d default -k
其中参数表示为:
-i 指定连接运行 impalad 守护进程的主机。默认端口是 21000。你可以连接到集群中运行 impalad 的任意主机。假如你连接到 impalad 实例通过 –fe_port 标志使用了其他端口,则应当同时提供端口号,格式为 hostname:port
-d 指定启动后使用的数据库,与建立连接后使用 USE 语句选择数据库作用相同,如果没有指定,那么使用 default 数据库。
-k 当连接到 impalad 时使用 Kerberos 认证。如果要连接的 impalad 实例不支持 Kerberos,将显示一个错误。
2.Sentry服务下使用Impala
在CDH中添加Sentry服务后,可以在Hive和Impala通过GRANT和REVOKE语句来设置权限,然后两个组件可以自动使用那些相同的权限。
在HIve CLI中创建两个数据库和相应的表
[wlbd@wlint01 keytabFile]$ kinit -kt hive.keytab hive/wlint01
[wlbd@wlint01 keytabFile]$ hive
Logging initialized using configuration in jar:file:/opt/cloudera/parcels/CDH-5.14.2-1.cdh5.14.2.p0.3/jars/hive-common-1.1.0-cdh5.14.2.jar!/hive-log4j.properties
WARNING: Hive CLI is deprecated and migration to Beeline is recommended.
hive> create database db1;
OK
Time taken: 1.942 seconds在db1中创建table1
create table db1.table1 (
ip STRING, country STRING, client STRING, action STRING
) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',';
load data local inpath '/app/wlbd/keytabFile/events.csv' overwrite into table db1.table1;通过beeline赋予用户权限
beeline -u "jdbc:hive2://wlint01:10000/;principal=hive/wlint01@HXDI.COM"给user1赋予db1的所有权限
create role user1_role;
GRANT ALL ON DATABASE db1 TO ROLE user1_role;
GRANT ROLE user1_role TO GROUP user1;然后通过user1.keytab进入到impala-shell,进入后必须执行 invalidate metadata 才能看到刚刚创建的数据库和表。
[wlbd@wlint01 keytabFile]$ kinit -kt user1.keytab user1
[wlbd@wlint01 keytabFile]$ impala-shell -i wldatanode004 -d default -k
Starting Impala Shell using Kerberos authentication
Using service name 'impala'
Connected to wldatanode004:21000
Server version: impalad version 2.11.0-cdh5.14.2 RELEASE (build ed85dce709da9557aeb28be89e8044947708876c)
***********************************************************************************
Welcome to the Impala shell.
(Impala Shell v2.11.0-cdh5.14.2 (ed85dce) built on Tue Mar 27 13:39:48 PDT 2018)
You can run a single query from the command line using the '-q' option.
***********************************************************************************
Query: use `default`
[wldatanode004:21000] > show databases;
Query: show databases
+------------------+----------------------------------------------+
| name | comment |
+------------------+----------------------------------------------+
| _impala_builtins | System database for Impala builtin functions |
| default | Default Hive database |
+------------------+----------------------------------------------+
Fetched 2 row(s) in 0.03s
[wldatanode004:21000] > invalidate metadata;
Query: invalidate metadata
Query submitted at: 2018-06-21 17:07:17 (Coordinator: http://wldatanode004:25000)
Query progress can be monitored at: http://wldatanode004:25000/query_plan?query_id=14491ddb95368a04:fcb124b000000000
Fetched 0 row(s) in 4.19s
[wldatanode004:21000] > show databases;
Query: show databases
+------------------+----------------------------------------------+
| name | comment |
+------------------+----------------------------------------------+
| _impala_builtins | System database for Impala builtin functions |
| db1 | |
| default | Default Hive database |
+------------------+----------------------------------------------+
Fetched 3 row(s) in 0.03s
[wldatanode004:21000] > show tables in db1;
Query: show tables in db1
+--------+
| name |
+--------+
| table1 |
+--------+
Fetched 1 row(s) in 0.03s如果在db1新创建了table2这张表,可以通过 invalidate metadata db1.table2 进行更新;
[wldatanode004:21000] > invalidate metadata db1.table2;
Query: invalidate metadata db1.table2
Query submitted at: 2018-06-21 17:13:32 (Coordinator: http://wldatanode004:25000)
Query progress can be monitored at: http://wldatanode004:25000/query_plan?query_id=4e46f16a19e4b096:5fd05f8c00000000
Fetched 0 row(s) in 0.04s
[wldatanode004:21000] > show tables in db1;
Query: show tables in db1
+--------+
| name |
+--------+
| table1 |
| table2 |
+--------+
Fetched 2 row(s) in 0.03s