环境:我们已经安装了Hadoop集群,hive,hue 以及命令行工具Beeline
hue: 主要是对hive数据仓库的一个可视化操作客户端,我们可以用hue对hive库添加管理员用户账号。
Beeline:
HiveServer2提供了一个新的命令行工具Beeline,它是基于SQLLine CLI的JDBC客户端。关于SQLLine的的知识,可以参考这个网站:http://sqlline.sourceforge.NET/#manual
Beeline工作模式有两种,即本地嵌入模式和远程模式。嵌入模式情况下,它返回一个嵌入式的Hive(类似于Hive CLI)。而远程模式则是通过Thrift协议与某个单独的HiveServer2进程进行连接通信。
下面给一个简单的登录Beeline的使用实例:
[root@master ~]# beeline -u "jdbc:hive2://localhost:10000/"
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
Java HotSpot(TM) 64-Bit Server VM warning: Using incremental CMS is deprecated and will likely be removed in a future release
17/01/11 09:38:12 WARN mapreduce.TableMapReduceUtil: The hbase-prefix-tree module jar containing PrefixTreeCodec is not present. Continuing without it.
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
scan complete in 4ms
Connecting to jdbc:hive2://localhost:10000/
Connected to: Apache Hive (version 1.1.0-cdh5.8.0)
Driver: Hive JDBC (version 1.1.0-cdh5.8.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 1.1.0-cdh5.8.0 by Apache Hive
0: jdbc:hive2://localhost:10000/> use zfs_test
. . . . . . . . . . . . . . . . > ;
INFO : Compiling command(queryId=hive_20170111093838_10154f16-eba2-47eb-b99c-50e52d03b082): use zfs_test
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20170111093838_10154f16-eba2-47eb-b99c-50e52d03b082); Time taken: 0.051 seconds
INFO : Executing command(queryId=hive_20170111093838_10154f16-eba2-47eb-b99c-50e52d03b082): use zfs_test
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20170111093838_10154f16-eba2-47eb-b99c-50e52d03b082); Time taken: 0.024 seconds
INFO : OK
No rows affected (0.205 seconds)
0: jdbc:hive2://localhost:10000/> show tables
. . . . . . . . . . . . . . . . > ;
INFO : Compiling command(queryId=hive_20170111093838_0fac13fa-b631-4b9b-ad1a-6b7fdfb4a1ae): show tables
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:tab_name, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=hive_20170111093838_0fac13fa-b631-4b9b-ad1a-6b7fdfb4a1ae); Time taken: 0.01 seconds
INFO : Executing command(queryId=hive_20170111093838_0fac13fa-b631-4b9b-ad1a-6b7fdfb4a1ae): show tables
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20170111093838_0fac13fa-b631-4b9b-ad1a-6b7fdfb4a1ae); Time taken: 0.041 seconds
INFO : OK
+-------------+--+
| tab_name |
+-------------+--+
| employee |
| employee11 |
+-------------+--+
2 rows selected (0.13 seconds)
远程连接到HiveServer2:
beeline -u "jdbc:hive2://hadoop1:10000/hamza_group_1" --hivevar hamza.usr="hamza_group" --hivevar hamza.passwd="hMyLXJ6uddQSy1WU" --color=true;
退出beeline命令行则是!quit, 但对于登录了后的DDL,DML,则直接运行SQL语句即可,语句后带上一个分号,然后回车执行。
应用hive2的beeline命令行工具登录到hive后:
我们直接可以对相关用户和角色添加相关权限 create,drop ,select,alter,delete等
下面是赋值权限的一些命令操作:
--创建和删除角色
create role role_name;
drop role role_name;
--展示所有roles
show roles
--赋予角色权限
grant select on database zfs_test to role zfs_role;
grant select on [table] employee to role user1_1;
--查看角色权限
show grant role role_name on database db_name;
show grant role role_name on [table] t_name;
--角色赋予用户
grant role role_name to user user_name
--回收角色权限
revoke select on database db_name from role role_name;
revoke select on [table] t_name from role role_name;
--查看某个用户所有角色
show role grant user user_name;
--查看用户被赋予的角色
show role grant user user1_1;
--查看所有权限的分配情况
show grant
--查看单个角色的权限分配情况
show grant role zfs_role;
现在一个最大的问题来了,因为hive默认每个用户都有给自己赋值权限的权利,所以当其自己没有权限时,自己可以把权限赋上,那么这样之前的权限赋值就没有意义了。现在我们就要创建超级用户仅使一个和两个超级用户具有赋值权限(我们这里是admin和hive),其他用户没有赋权功能。
package com.hive;
import org.apache.hadoop.hive.ql.parse.ASTNode;
import org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook;
import org.apache.hadoop.hive.ql.parse.HiveParser;
import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.session.SessionState;
public class AuthorityHook extends AbstractSemanticAnalyzerHook {
private static String[] admin = {"admin", "hive"};
@Override
public ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context,ASTNode ast) throws SemanticException {
switch (ast.getToken().getType()) {
case HiveParser.TOK_CREATEDATABASE:
case HiveParser.TOK_DROPDATABASE:
case HiveParser.TOK_CREATEROLE:
case HiveParser.TOK_DROPROLE:
case HiveParser.TOK_GRANT:
case HiveParser.TOK_REVOKE:
case HiveParser.TOK_GRANT_ROLE:
case HiveParser.TOK_REVOKE_ROLE:
String userName = null;
if (SessionState.get() != null&&SessionState.get().getAuthenticator() != null){
userName=SessionState.get().getAuthenticator().getUserName();
}
if (!admin[0].equalsIgnoreCase(userName) && !admin[1].equalsIgnoreCase(userName)) {
throw new SemanticException(userName + " can't use ADMIN options, except "
+ admin[0]+","+admin[1] +".");
}
break;
default:
break;
}
return ast;
}
public static void main(String[] args) throws SemanticException {
String[] admin = {"admin", "hive"};
String userName = "admin";
if (!admin[0].equalsIgnoreCase(userName) && !admin[1].equalsIgnoreCase(userName)) {
throw new SemanticException(userName + " can't use ADMIN options, except "
+ admin[0]+","+admin[1] +".");
}
}
}
下面是我的pom.xml
4.0.0
hive.bigdata
user_auth
1.0-SNAPSHOT
org.apache.hive
hive-exec
1.1.0-cdh5.8.0
system
F:/IdeaProjects/hive-exec-1.1.0-cdh5.8.0.jar
commons-logging
commons-logging
1.2
provided
org.apache.hadoop
hadoop-mapreduce-client-jobclient
2.6.0
provided
hive-exec-1.1.0-cdh5.8.0.jar这个包可以直接从线上环境拷贝路径:/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hive/lib/hive-exec-1.1.0-cdh5.8.0.jar
另外打包的时候可以不用将import的jar包打入,用
provided 去掉,
F:/IdeaProjects/hive-exec-1.1.0-cdh5.8.0.jar
这个代码是直接应用本地的jar包
打好包后,需要将jar传到线上环境,在CDH安装集群环境需要传到master集群指定的目录:
这个路径没有的自己建好,另外就是hive权限开启配置和hive.semantic.analyzer.hook设置(设置成我们开发的那个类的路径)
以上都搞定后,可以重启hive集群。
现在就完成了超级用户和hive权限的配置工作。