简介
Apache Sentry的目标是实现授权管理,它是一个策略引擎,被数据处理工具用来验证访问权限。它也是一个高度扩展的模块,可以支持任何的数据模型。当前,它支持Apache Hive和Cloudera Impala的关系数据模型,以及Apache中的有继承关系的数据模型。
Sentry提供了定义和持久化访问资源的策略的方法。目前,这些策略可以存储在文件里或者是能使用RPC服务访问的数据库后端存储里。数据访问工具,例如Hive,以一定的模式辨认用户访问数据的请求,例如从一个表读一行数据或者删除一个表。这个工具请求Sentry验证访问是否合理。Sentry构建请求用户被允许的权限的映射并判断给定的请求是否允许访问。请求工具这时候根据Sentry的判断结果来允许或者禁止用户的访问请求。
Sentry授权包括以下几种角色:
- 资源:可能是Server、Database、Table、或者URL(例如:HDFS或者本地路径)。Sentry1.5中支持对列进行授权。
- 权限:授权访问某一个资源的规则。
- 角色:角色是一系列权限的集合。
- 用户和组:一个组是一系列用户的集合。Sentry 的组映射是可以扩展的。默认情况下,Sentry使用Hadoop的组映射(可以是操作系统组或者LDAP中的组)。Sentry允许你将用户和组进行关联,你可以将一系列的用户放入到一个组中。Sentry不能直接给一个用户或组授权,需要将权限授权给角色,角色可以授权给一个组而不是一个用户。
权限相关库表
CREATE TABLE `SENTRY_DB_PRIVILEGE` (
`DB_PRIVILEGE_ID` BIGINT NOT NULL,
`PRIVILEGE_SCOPE` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
`SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
`DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
`TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
`COLUMN_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
`URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
`ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
`CREATE_TIME` BIGINT NOT NULL,
`WITH_GRANT_OPTION` CHAR(1) NOT NULL,
PRIMARY KEY (`DB_PRIVILEGE_ID`),
UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`),
KEY `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`),
INDEX `SENTRY_PRIV_DB_IDX` (`DB_NAME`),
INDEX `SENTRY_PRIV_TBL_IDX` (`TABLE_NAME`),
INDEX `SENTRY_PRIV_COL_IDX` (`COLUMN_NAME`),
INDEX `SENTRY_PRIV_URI_IDX` (`URI`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='DB权限';
CREATE TABLE `SENTRY_ROLE` (
`ROLE_ID` BIGINT NOT NULL PRIMARY KEY,
`ROLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
`CREATE_TIME` BIGINT NOT NULL,
UNIQUE KEY `SENTRY_ROLE_ROLE_NAME_UNIQUE` (`ROLE_NAME`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='角色表';
CREATE TABLE `SENTRY_GROUP` (
`GROUP_ID` BIGINT NOT NULL PRIMARY KEY,
`GROUP_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
`CREATE_TIME` BIGINT NOT NULL,
UNIQUE KEY `SENTRY_GRP_GRP_NAME_UNIQUE` (`GROUP_NAME`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='用户组表';
CREATE TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` (
`ROLE_ID` BIGINT NOT NULL,
`DB_PRIVILEGE_ID` BIGINT NOT NULL,
`GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin,
PRIMARY KEY `SENTRY_ROLE_DB_PRIVILEGE_MAP_PK` (`ROLE_ID`,`DB_PRIVILEGE_ID`),
CONSTRAINT `SEN_RLE_DB_PRV_MAP_SN_RLE_FK` FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`),
CONSTRAINT `SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK` FOREIGN KEY (`DB_PRIVILEGE_ID`) REFERENCES `SENTRY_DB_PRIVILEGE`(`DB_PRIVILEGE_ID`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='角色和DB之间的关联';
CREATE TABLE `SENTRY_ROLE_GROUP_MAP` (
`ROLE_ID` BIGINT NOT NULL,
`GROUP_ID` BIGINT NOT NULL,
`GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin,
PRIMARY KEY `SENTRY_ROLE_GROUP_MAP_PK` (`ROLE_ID`,`GROUP_ID`),
CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_ROLE_FK` FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`),
CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_GRP_FK` FOREIGN KEY (`GROUP_ID`) REFERENCES `SENTRY_GROUP`(`GROUP_ID`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='角色和组之间的关联';
CREATE TABLE IF NOT EXISTS `SENTRY_VERSION` (
`VER_ID` BIGINT NOT NULL PRIMARY KEY,
`SCHEMA_VERSION` VARCHAR(127) NOT NULL,
`VERSION_COMMENT` VARCHAR(255) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='SENTRY版本';
CREATE TABLE `SENTRY_USER` (
`USER_ID` BIGINT PRIMARY KEY NOT NULL,
`USER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
`CREATE_TIME` BIGINT NOT NULL,
UNIQUE KEY `SENTRY_USER_USER_NAME_UNIQUE` (`USER_NAME`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='SENTRY用户表';
CREATE TABLE `SENTRY_ROLE_USER_MAP` (
`ROLE_ID` BIGINT NOT NULL,
`USER_ID` BIGINT NOT NULL,
`GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin,
PRIMARY KEY `SENTRY_ROLE_USER_MAP_PK` (`ROLE_ID`,`USER_ID`),
CONSTRAINT `SEN_ROLE_USER_MAP_SEN_ROLE_FK` FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`),
CONSTRAINT `SEN_ROLE_USER_MAP_SEN_USER_FK` FOREIGN KEY (`USER_ID`) REFERENCES `SENTRY_USER`(`USER_ID`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='用户和角色之间的关联';
INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.8.0', 'Sentry release version 1.8.0');
-- Generic Model
-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
CREATE TABLE `SENTRY_GM_PRIVILEGE`
(
`GM_PRIVILEGE_ID` BIGINT PRIMARY KEY NOT NULL,
`ACTION` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
`COMPONENT_NAME` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
`CREATE_TIME` BIGINT NOT NULL,
`WITH_GRANT_OPTION` CHAR(1) NOT NULL,
`RESOURCE_NAME_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
`RESOURCE_NAME_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
`RESOURCE_NAME_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
`RESOURCE_NAME_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
`RESOURCE_TYPE_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
`RESOURCE_TYPE_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
`RESOURCE_TYPE_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
`RESOURCE_TYPE_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
`SCOPE` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
`SERVICE_NAME` VARCHAR(64) BINARY CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
UNIQUE KEY `GM_PRIVILEGE_UNIQUE` (`COMPONENT_NAME`,`SERVICE_NAME`,`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`,`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`,`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`,`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`,`ACTION`,`WITH_GRANT_OPTION`),
KEY `SENTRY_GM_PRIV_COMP_IDX` (`COMPONENT_NAME`),
KEY `SENTRY_GM_PRIV_SERV_IDX` (`SERVICE_NAME`),
KEY `SENTRY_GM_PRIV_RES0_IDX` (`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`),
KEY `SENTRY_GM_PRIV_RES1_IDX` (`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`),
KEY `SENTRY_GM_PRIV_RES2_IDX` (`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`),
KEY `SENTRY_GM_PRIV_RES3_IDX` (`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
CREATE TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
(
`ROLE_ID` BIGINT NOT NULL,
`GM_PRIVILEGE_ID` BIGINT NOT NULL,
PRIMARY KEY `SENTRY_ROLE_GM_PRIVILEGE_MAP_PK` (`ROLE_ID`,`GM_PRIVILEGE_ID`),
CONSTRAINT `SEN_RLE_GM_PRV_MAP_SN_RLE_FK` FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`),
CONSTRAINT `SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK` FOREIGN KEY (`GM_PRIVILEGE_ID`) REFERENCES `SENTRY_GM_PRIVILEGE`(`GM_PRIVILEGE_ID`)
) ENGINE=INNODB DEFAULT CHARSET=utf8;