CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)

一、Kerberos 和 Sentry 概述

1.1 什么是 Kerberos

        Kerberos是一种计算机网络授权协议,用来在非安全网络中,对个人通信以安全的手段进行身份认证。这个词又指麻省理工学院为这个协议开发的一套计算机软件。软件设计上采用客户端/服务器结构,并且能够进行相互认证,即客户端和服务器端均可对对方进行身份认证。可以用于防止窃听、防止重放攻击、保护数据完整性等场合,是一种应用对称密钥体制进行密钥管理的系统。

1.2 什么是 Sentry

        Apache Sentry是Cloudera公司发布的一个Hadoop开源组件,2016年3月成为Apache顶级项目。Sentry是一个基于角色的粒度授权模块,提供了对Hadoop集群上经过身份验证的用户提供了控制和强制访问数据或数据特权的能力。它可以与Hive、Impala、Solr、HDFS和HBase集成。Sentry旨在成为可插拔授权引擎的Hadoop组件。允许定义授权规则以验证用户或应用程序对Hadoop资源的访问请求。

        kerberos主要负责平台用户的用户认证,sentry则负责数据的权限管理。

二、未进行 Kerberos 安全控制下进行 Sentry 权限控制管理

2.1 添加 Sentry 服务

此博文以 Sentry Hive 为例:

注:图5的 sentry 数据库可参照博文新增数据库或直接使用如下创建库代码:

CDH大数据平台入门篇之搭建与部署_cdh大数据平台搭建_啊 这的博客-CSDN博客

#创建sentry数据库
mysql> CREATE DATABASE sentry DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
Query OK, 1 row affected (0.00 sec)

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第1张图片

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第2张图片

 CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第3张图片

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第4张图片

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第5张图片

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第6张图片CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第7张图片

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第8张图片

 2.2 在 hive 配置中启用 sentry 服务CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第9张图片

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第10张图片

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第11张图片 (1)重启过期配置 

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第12张图片CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第13张图片

(2)启用数据库中的存储通知(勾选)

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第14张图片

 

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第15张图片

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第16张图片

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第17张图片

三、基于 Sentry 服务的权限控制

        注:以下所使用的 hive、test 等用户均为系统用户,hive 为创建 cdh 集群后自行创建的,test 用户通过系统命令 useradd 创建作为测试使用。

3.1 登录 hive 用户查看角色信息

[root@hadoop105 ~]# beeline
beeline> !connec jdbc:hive2://localhost:10000 hive ""
[root@hadoop105 ~]# beeline 
WARNING: Use "yarn jar" to launch YARN applications.
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/log4j-slf4j-impl-2.8.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Beeline version 2.1.1-cdh6.3.2 by Apache Hive
beeline> show roles;
No current connection
beeline> !connec jdbc:hive2://localhost:10000 hive ""
Connecting to jdbc:hive2://localhost:10000
Connected to: Apache Hive (version 2.1.1-cdh6.3.2)
Driver: Hive JDBC (version 2.1.1-cdh6.3.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://localhost:10000> show roles;
Error: Error while compiling statement: FAILED: InvalidConfigurationException hive.server2.authentication can't be none in non-testing mode (state=42000,code=40000)
0: jdbc:hive2://localhost:10000>

(1)无法查询角色信息,因为集群未启用安全认证环境,所以还需要配置如下参数:

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第18张图片

 (2)重启完重新测试使用beeline连接HiveServer2,并登录hive用户

#使用 hive 用户登录
[root@hadoop105 ~]# beeline -u 'jdbc:hive2://localhost:10000' -n hive
[root@hadoop105 ~]# beeline -u 'jdbc:hive2://localhost:10000' -n hive
WARNING: Use "yarn jar" to launch YARN applications.
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/log4j-slf4j-impl-2.8.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Connecting to jdbc:hive2://localhost:10000
Connected to: Apache Hive (version 2.1.1-cdh6.3.2)
Driver: Hive JDBC (version 2.1.1-cdh6.3.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 2.1.1-cdh6.3.2 by Apache Hive
0: jdbc:hive2://localhost:10000> show roles;
INFO  : Compiling command(queryId=hive_20230329102644_1ef24095-ce04-4c10-9cc0-2e96f7a0523c): show roles
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:role, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230329102644_1ef24095-ce04-4c10-9cc0-2e96f7a0523c); Time taken: 2.816 seconds
INFO  : Executing command(queryId=hive_20230329102644_1ef24095-ce04-4c10-9cc0-2e96f7a0523c): show roles
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329102644_1ef24095-ce04-4c10-9cc0-2e96f7a0523c); Time taken: 0.145 seconds
INFO  : OK
+-------+
| role  |
+-------+
+-------+
No rows selected (3.383 seconds)
0: jdbc:hive2://localhost:10000> 

(3)过程中注意到,原本除了 default 库,还有一个 hive_test 的库,现在只能看到默认的 default 库了,而当我关闭 hive 的 sentry 服务后,重启 hive,hive_test 的库也随之出现,说明centry已经起到作用。

#开启了 sentry 服务
0: jdbc:hive2://localhost:10000> show databases;
INFO  : Compiling command(queryId=hive_20230329142913_e7f84bd2-a7dd-49e9-8393-b7b14d6f510f): show databases
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230329142913_e7f84bd2-a7dd-49e9-8393-b7b14d6f510f); Time taken: 0.161 seconds
INFO  : Executing command(queryId=hive_20230329142913_e7f84bd2-a7dd-49e9-8393-b7b14d6f510f): show databases
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329142913_e7f84bd2-a7dd-49e9-8393-b7b14d6f510f); Time taken: 0.015 seconds
INFO  : OK
+----------------+
| database_name  |
+----------------+
| default        |      |
+----------------+
1 rows selected (0.26 seconds)
0: jdbc:hive2://localhost:10000> 

#关闭了sentry服务之后
+----------------+
| database_name  |
+----------------+
| default        |
| hive_test      |
+----------------+
2 rows selected (0.26 seconds)

(4)这里引出一个问题,当我不指定用户使用 hive 命令进入hive_cli 时,当前用户是可以查看到有 hive_test 这个库的,这个默认用户是 hdfs 用户,而使用 beeline 登录 hdfs 用户却看不到,这个是为什么呢,两者有何区别?默认的用户为什么不是 hive 或者 root ?(这个后面再说明)

[root@hadoop105 ~]# hive
WARNING: Use "yarn jar" to launch YARN applications.
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/log4j-slf4j-impl-2.8.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]

Logging initialized using configuration in jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/hive-common-2.1.1-cdh6.3.2.jar!/hive-log4j2.properties Async: false

WARNING: Hive CLI is deprecated and migration to Beeline is recommended.
hive> show databases;
OK
default
hive_test
Time taken: 1.366 seconds, Fetched: 2 row(s)
hive> show roles;
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hdfs is not allowed to list roles. User has to belong to ADMIN role and have it as current role, for this action.
hive> 

3.2 创建一个管理员角色信息

#创建一个 admin 角色
create role admin
#创建一个 admin 角色
0: jdbc:hive2://localhost:10000> create role admin;
INFO  : Compiling command(queryId=hive_20230329103934_e13a4a95-0202-4c4f-8ccf-d724396c7684): create role admin
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230329103934_e13a4a95-0202-4c4f-8ccf-d724396c7684); Time taken: 0.044 seconds
INFO  : Executing command(queryId=hive_20230329103934_e13a4a95-0202-4c4f-8ccf-d724396c7684): create role admin
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329103934_e13a4a95-0202-4c4f-8ccf-d724396c7684); Time taken: 0.012 seconds
INFO  : OK
No rows affected (0.067 seconds)

#查看角色信息
0: jdbc:hive2://localhost:10000> show roles;
INFO  : Compiling command(queryId=hive_20230329103940_7beb78ea-081d-4d5b-a681-a1a0a4068229): show roles
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:role, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230329103940_7beb78ea-081d-4d5b-a681-a1a0a4068229); Time taken: 0.046 seconds
INFO  : Executing command(queryId=hive_20230329103940_7beb78ea-081d-4d5b-a681-a1a0a4068229): show roles
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329103940_7beb78ea-081d-4d5b-a681-a1a0a4068229); Time taken: 0.009 seconds
INFO  : OK
+--------+
|  role  |
+--------+
| admin  |
+--------+
1 row selected (0.077 seconds)
0: jdbc:hive2://localhost:10000> 

3.3 为admin角色赋予超级权限

#将 server1 权限授权给 admin 角色
grant all on server server1 to role admin;
#将 server1 权限授权给 admin 角色
0: jdbc:hive2://localhost:10000> grant all on server server1 to role admin;
INFO  : Compiling command(queryId=hive_20230329104042_b46444f8-bc83-4f2e-8ba4-8acb36588233): grant all on server server1 to role admin
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230329104042_b46444f8-bc83-4f2e-8ba4-8acb36588233); Time taken: 0.056 seconds
INFO  : Executing command(queryId=hive_20230329104042_b46444f8-bc83-4f2e-8ba4-8acb36588233): grant all on server server1 to role admin
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329104042_b46444f8-bc83-4f2e-8ba4-8acb36588233); Time taken: 0.078 seconds
INFO  : OK
No rows affected (0.148 seconds)
0: jdbc:hive2://localhost:10000> 

3.4 把admin角色授权给hive用户

#将 admin 角色授权给 hive 用户
grant role admin to group hive;
#查看数据库信息
show databases;

        可以看到原本没权限看到的 hive_test 数据库此时也可以看到了

#将 admin 角色授权给 hive 用户
0: jdbc:hive2://localhost:10000> grant role admin to group hive;
INFO  : Compiling command(queryId=hive_20230329172329_ff78ccc3-3aec-4299-af36-b7fdfb120194): grant role admin to group hive
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230329172329_ff78ccc3-3aec-4299-af36-b7fdfb120194); Time taken: 0.044 seconds
INFO  : Executing command(queryId=hive_20230329172329_ff78ccc3-3aec-4299-af36-b7fdfb120194): grant role admin to group hive
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329172329_ff78ccc3-3aec-4299-af36-b7fdfb120194); Time taken: 0.127 seconds
INFO  : OK
No rows affected (0.187 seconds)

#查看数据库信息
0: jdbc:hive2://localhost:10000> show databases;
INFO  : Compiling command(queryId=hive_20230329172334_3a8602ce-70e5-41ba-b4db-e1c8345c12ee): show databases
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230329172334_3a8602ce-70e5-41ba-b4db-e1c8345c12ee); Time taken: 0.045 seconds
INFO  : Executing command(queryId=hive_20230329172334_3a8602ce-70e5-41ba-b4db-e1c8345c12ee): show databases
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329172334_3a8602ce-70e5-41ba-b4db-e1c8345c12ee); Time taken: 0.054 seconds
INFO  : OK
+----------------+
| database_name  |
+----------------+
| default        |
| hive_test      |
+----------------+
2 rows selected (0.126 seconds)
0: jdbc:hive2://localhost:10000>

3.5 查看admin角色被授权的权限信息

#查看 admin 角色的授权信息
show grant role admin;
#查看 admin 角色的授权信息
0: jdbc:hive2://localhost:10000> show grant role admin;
INFO  : Compiling command(queryId=hive_20230404102437_456b8af8-0a9a-4d3c-8373-b8cad07b48d1): show grant role admin
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database, type:string, comment:from deserializer), FieldSchema(name:table, type:string, comment:from deserializer), FieldSchema(name:partition, type:string, comment:from deserializer), FieldSchema(name:column, type:string, comment:from deserializer), FieldSchema(name:principal_name, type:string, comment:from deserializer), FieldSchema(name:principal_type, type:string, comment:from deserializer), FieldSchema(name:privilege, type:string, comment:from deserializer), FieldSchema(name:grant_option, type:boolean, comment:from deserializer), FieldSchema(name:grant_time, type:bigint, comment:from deserializer), FieldSchema(name:grantor, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230404102437_456b8af8-0a9a-4d3c-8373-b8cad07b48d1); Time taken: 0.042 seconds
INFO  : Executing command(queryId=hive_20230404102437_456b8af8-0a9a-4d3c-8373-b8cad07b48d1): show grant role admin
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230404102437_456b8af8-0a9a-4d3c-8373-b8cad07b48d1); Time taken: 0.052 seconds
INFO  : OK
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   grant_time   | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| *         |        |            |         | admin           | ROLE            | *          | false         | 1680057642000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
1 row selected (0.13 seconds)

3.6 授权数据库权限给角色

(1)先创建角色并授权给角色

#将 hive_test 库的 select 权限授权给 db_role 角色
grant select on database hive_test to role db_role;
#将 hive_test 库的 insert 权限授权给 db_role 角色
grant insert on database hive_test to role db_role;
#创建一个 db_role 角色
0: jdbc:hive2://localhost:10000> create role db_role;
INFO  : Compiling command(queryId=hive_20230407101005_f70152fd-582b-4cfd-b647-029de27fef68): create role db_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230407101005_f70152fd-582b-4cfd-b647-029de27fef68); Time taken: 0.039 seconds
INFO  : Executing command(queryId=hive_20230407101005_f70152fd-582b-4cfd-b647-029de27fef68): create role db_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230407101005_f70152fd-582b-4cfd-b647-029de27fef68); Time taken: 0.04 seconds
INFO  : OK
No rows affected (0.087 seconds)

#将 hive_test 库的 select 权限授权给 db_role 角色
0: jdbc:hive2://localhost:10000> grant select on database hive_test to role db_role;
INFO  : Compiling command(queryId=hive_20230407101501_508c7e5e-2048-483f-a77d-e977849ceade): grant select on database hive_test to role db_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230407101501_508c7e5e-2048-483f-a77d-e977849ceade); Time taken: 0.038 seconds
INFO  : Executing command(queryId=hive_20230407101501_508c7e5e-2048-483f-a77d-e977849ceade): grant select on database hive_test to role db_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230407101501_508c7e5e-2048-483f-a77d-e977849ceade); Time taken: 0.015 seconds
INFO  : OK
No rows affected (0.062 seconds)

#将 hive_test 库的 insert 权限授权给 db_role 角色
0: jdbc:hive2://localhost:10000> grant insert on database hive_test to role db_role;
INFO  : Compiling command(queryId=hive_20230407101509_e6d7b178-070c-422a-8650-ced7725eddab): grant insert on database hive_test to role db_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230407101509_e6d7b178-070c-422a-8650-ced7725eddab); Time taken: 0.037 seconds
INFO  : Executing command(queryId=hive_20230407101509_e6d7b178-070c-422a-8650-ced7725eddab): grant insert on database hive_test to role db_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230407101509_e6d7b178-070c-422a-8650-ced7725eddab); Time taken: 0.01 seconds
INFO  : OK
No rows affected (0.054 seconds)

#查看 db_role 角色的授权信息
0: jdbc:hive2://localhost:10000> show grant role db_role;
INFO  : Compiling command(queryId=hive_20230407101911_188d900e-bf81-424e-b81c-7d79a8d869e4): show grant role db_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database, type:string, comment:from deserializer), FieldSchema(name:table, type:string, comment:from deserializer), FieldSchema(name:partition, type:string, comment:from deserializer), FieldSchema(name:column, type:string, comment:from deserializer), FieldSchema(name:principal_name, type:string, comment:from deserializer), FieldSchema(name:principal_type, type:string, comment:from deserializer), FieldSchema(name:privilege, type:string, comment:from deserializer), FieldSchema(name:grant_option, type:boolean, comment:from deserializer), FieldSchema(name:grant_time, type:bigint, comment:from deserializer), FieldSchema(name:grantor, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230407101911_188d900e-bf81-424e-b81c-7d79a8d869e4); Time taken: 0.038 seconds
INFO  : Executing command(queryId=hive_20230407101911_188d900e-bf81-424e-b81c-7d79a8d869e4): show grant role db_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230407101911_188d900e-bf81-424e-b81c-7d79a8d869e4); Time taken: 0.009 seconds
INFO  : OK
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
|  database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   grant_time   | grantor  |
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| hive_test  |        |            |         | db_role         | ROLE            | INSERT     | false         | 1680833709000  | --       |
| hive_test  |        |            |         | db_role         | ROLE            | SELECT     | false         | 1680833701000  | --       |
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
2 rows selected (0.07 seconds)

(2)授权用户前先登录 test 用户查看

#登录 test 用户
[root@hadoop105 hive]# beeline -u 'jdbc:hive2://localhost:10000' -n test
#查看当前数据库信息
0: jdbc:hive2://localhost:10000> show databases;
#登录 test 用户
[root@hadoop105 hive]# beeline -u 'jdbc:hive2://localhost:10000' -n test
WARNING: Use "yarn jar" to launch YARN applications.
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/log4j-slf4j-impl-2.8.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Connecting to jdbc:hive2://localhost:10000
Connected to: Apache Hive (version 2.1.1-cdh6.3.2)
Driver: Hive JDBC (version 2.1.1-cdh6.3.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 2.1.1-cdh6.3.2 by Apache Hive

#查看当前数据库信息
0: jdbc:hive2://localhost:10000> show databases;
INFO  : Compiling command(queryId=hive_20230407135223_f014eb1a-0051-4aef-9815-791bcedd26d3): show databases
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230407135223_f014eb1a-0051-4aef-9815-791bcedd26d3); Time taken: 0.225 seconds
INFO  : Executing command(queryId=hive_20230407135223_f014eb1a-0051-4aef-9815-791bcedd26d3): show databases
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230407135223_f014eb1a-0051-4aef-9815-791bcedd26d3); Time taken: 0.055 seconds
INFO  : OK
+----------------+
| database_name  |
+----------------+
| default        |
+----------------+
1 row selected (0.352 seconds)

(3)把角色分配给 test 用户并查看(这里你会发现,无法授权给 user ,只能授权给 group。

因为 Sentry 的特性是利用 User 身份和 Group 相互映射进行权限控管,但是 Sentry 只能操作在 Group,所以使用的 User 方法并不可行

#把 db_role 角色授权给 test 用户组
0: jdbc:hive2://localhost:10000> grant role db_role to group test;
#登录 hive 用户
[root@hadoop105 ~]# beeline -u 'jdbc:hive2://localhost:10000' -n hive
WARNING: Use "yarn jar" to launch YARN applications.
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/log4j-slf4j-impl-2.8.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Connecting to jdbc:hive2://localhost:10000
Connected to: Apache Hive (version 2.1.1-cdh6.3.2)
Driver: Hive JDBC (version 2.1.1-cdh6.3.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 2.1.1-cdh6.3.2 by Apache Hive

#把 db_role 角色授权给 test 用户
0: jdbc:hive2://localhost:10000> grant role db_role to user test;
INFO  : Compiling command(queryId=hive_20230407141044_220c5165-6ca0-496c-ac23-514dccb1872a): grant role db_role to user test
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230407141044_220c5165-6ca0-496c-ac23-514dccb1872a); Time taken: 0.184 seconds
INFO  : Executing command(queryId=hive_20230407141044_220c5165-6ca0-496c-ac23-514dccb1872a): grant role db_role to user test
INFO  : Starting task [Stage-0:DDL] in serial mode
ERROR : FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Sentry does not allow privileges to be granted/revoked to/from: USER
INFO  : Completed executing command(queryId=hive_20230407141044_220c5165-6ca0-496c-ac23-514dccb1872a); Time taken: 0.001 seconds
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Sentry does not allow privileges to be granted/revoked to/from: USER (state=08S01,code=1)

#把 db_role 角色授权给 test 用户组
0: jdbc:hive2://localhost:10000> grant role db_role to group test;
INFO  : Compiling command(queryId=hive_20230407141110_96149c59-28e4-46be-ab37-4b0a2aa20a03): grant role db_role to group test
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230407141110_96149c59-28e4-46be-ab37-4b0a2aa20a03); Time taken: 0.037 seconds
INFO  : Executing command(queryId=hive_20230407141110_96149c59-28e4-46be-ab37-4b0a2aa20a03): grant role db_role to group test
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230407141110_96149c59-28e4-46be-ab37-4b0a2aa20a03); Time taken: 0.04 seconds
INFO  : OK
No rows affected (0.085 seconds)

# 登录 test 用户并查看
0: jdbc:hive2://localhost:10000> show databases;
INFO  : Compiling command(queryId=hive_20230407141443_c9fbfc09-2aab-48f5-9774-9ed6c87948d3): show databases
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230407141443_c9fbfc09-2aab-48f5-9774-9ed6c87948d3); Time taken: 0.038 seconds
INFO  : Executing command(queryId=hive_20230407141443_c9fbfc09-2aab-48f5-9774-9ed6c87948d3): show databases
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230407141443_c9fbfc09-2aab-48f5-9774-9ed6c87948d3); Time taken: 0.036 seconds
INFO  : OK
+----------------+
| database_name  |
+----------------+
| default        |
| hive_test      |
+----------------+
2 rows selected (0.088 seconds)

3.7 把权限细分到表操作上

 (1)只授权 test 用户对 hive_test 库的 testb 表有 insert 权限

# 创建一个 test_role 角色
create role test_role;
#把对 hive_test 库的 testb 表授权给 test_role 角色
grant insert on table hive_test.testb to role test_role;
#把角色授权给 test 用户组
grant role test_role to group test;
# 创建一个 test_role 角色
0: jdbc:hive2://localhost:10000> create role test_role;
INFO  : Compiling command(queryId=hive_20230329172749_985b7987-6f4a-465f-a6b1-324ccd87a1a5): create role test_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230329172749_985b7987-6f4a-465f-a6b1-324ccd87a1a5); Time taken: 0.055 seconds
INFO  : Executing command(queryId=hive_20230329172749_985b7987-6f4a-465f-a6b1-324ccd87a1a5): create role test_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329172749_985b7987-6f4a-465f-a6b1-324ccd87a1a5); Time taken: 0.061 seconds
INFO  : OK
No rows affected (0.128 seconds)

#把对 hive_test 库的 testb 表授权给 test_role 角色
0: jdbc:hive2://localhost:10000> grant insert on table hive_test.testb to role test_role;
INFO  : Compiling command(queryId=hive_20230329172907_3d59d096-bdee-4b8a-bd84-ab012161bdad): grant insert on table hive_test.testb to role test_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230329172907_3d59d096-bdee-4b8a-bd84-ab012161bdad); Time taken: 0.053 seconds
INFO  : Executing command(queryId=hive_20230329172907_3d59d096-bdee-4b8a-bd84-ab012161bdad): grant insert on table hive_test.testb to role test_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329172907_3d59d096-bdee-4b8a-bd84-ab012161bdad); Time taken: 0.071 seconds
INFO  : OK
No rows affected (0.137 seconds)

#把角色授权给 test 用户组
0: jdbc:hive2://localhost:10000> grant role test_role to group test;
INFO  : Compiling command(queryId=hive_20230329172931_cde3d861-a87c-4541-8fdb-cba47f395810): grant role test_role to group test
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230329172931_cde3d861-a87c-4541-8fdb-cba47f395810); Time taken: 0.053 seconds
INFO  : Executing command(queryId=hive_20230329172931_cde3d861-a87c-4541-8fdb-cba47f395810): grant role test_role to group test
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329172931_cde3d861-a87c-4541-8fdb-cba47f395810); Time taken: 0.012 seconds
INFO  : OK
No rows affected (0.075 seconds)

(2)查看test_role角色被授权的权限信息

# 查看 test_role 角色的授权信息
show grant role test_role;
# 查看 test_role 角色的授权信息
0: jdbc:hive2://localhost:10000> show grant role test_role;
INFO  : Compiling command(queryId=hive_20230404102508_879ce71f-dac6-4575-9035-40f355b3c1be): show grant role test_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database, type:string, comment:from deserializer), FieldSchema(name:table, type:string, comment:from deserializer), FieldSchema(name:partition, type:string, comment:from deserializer), FieldSchema(name:column, type:string, comment:from deserializer), FieldSchema(name:principal_name, type:string, comment:from deserializer), FieldSchema(name:principal_type, type:string, comment:from deserializer), FieldSchema(name:privilege, type:string, comment:from deserializer), FieldSchema(name:grant_option, type:boolean, comment:from deserializer), FieldSchema(name:grant_time, type:bigint, comment:from deserializer), FieldSchema(name:grantor, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230404102508_879ce71f-dac6-4575-9035-40f355b3c1be); Time taken: 0.044 seconds
INFO  : Executing command(queryId=hive_20230404102508_879ce71f-dac6-4575-9035-40f355b3c1be): show grant role test_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230404102508_879ce71f-dac6-4575-9035-40f355b3c1be); Time taken: 0.007 seconds
INFO  : OK
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
|  database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   grant_time   | grantor  |
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| hive_test  | testb  |            |         | test_role       | ROLE            | INSERT     | false         | 1680082147000  | --       |
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
1 row selected (0.073 seconds)

(3)登录test用户查看(确实只能看到 testb 表,其他表看不到)

#登录 test 用户
[root@hadoop105 ~]# beeline -u 'jdbc:hive2://localhost:10000' -n test
#查看相关表
show hive_test.testb
#登录 test 用户
[root@hadoop105 ~]# beeline -u 'jdbc:hive2://localhost:10000' -n test
WARNING: Use "yarn jar" to launch YARN applications.
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/log4j-slf4j-impl-2.8.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Connecting to jdbc:hive2://localhost:10000
Connected to: Apache Hive (version 2.1.1-cdh6.3.2)
Driver: Hive JDBC (version 2.1.1-cdh6.3.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 2.1.1-cdh6.3.2 by Apache Hive

#查看数据库信息
0: jdbc:hive2://localhost:10000> show databases;
INFO  : Compiling command(queryId=hive_20230329173530_1edaeb5c-71dd-48d8-b5ed-2e70aba3c442): show databases
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230329173530_1edaeb5c-71dd-48d8-b5ed-2e70aba3c442); Time taken: 0.21 seconds
INFO  : Executing command(queryId=hive_20230329173530_1edaeb5c-71dd-48d8-b5ed-2e70aba3c442): show databases
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329173530_1edaeb5c-71dd-48d8-b5ed-2e70aba3c442); Time taken: 0.042 seconds
INFO  : OK
+----------------+
| database_name  |
+----------------+
| default        |
| hive_test      |
+----------------+
2 rows selected (0.337 seconds)

#进入 hive_test 数据库
0: jdbc:hive2://localhost:10000> use hive_test;
INFO  : Compiling command(queryId=hive_20230329173539_c54bd676-644e-4fb9-a8bf-7962d607e489): use hive_test
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230329173539_c54bd676-644e-4fb9-a8bf-7962d607e489); Time taken: 0.073 seconds
INFO  : Executing command(queryId=hive_20230329173539_c54bd676-644e-4fb9-a8bf-7962d607e489): use hive_test
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329173539_c54bd676-644e-4fb9-a8bf-7962d607e489); Time taken: 0.005 seconds
INFO  : OK
No rows affected (0.089 seconds)
0: jdbc:hive2://localhost:10000> show tables;
INFO  : Compiling command(queryId=hive_20230329173543_12e2eeda-6294-4c98-9f5b-

#查看相关表
5309b2f93003): show tables
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:tab_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230329173543_12e2eeda-6294-4c98-9f5b-5309b2f93003); Time taken: 0.051 seconds
INFO  : Executing command(queryId=hive_20230329173543_12e2eeda-6294-4c98-9f5b-5309b2f93003): show tables
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329173543_12e2eeda-6294-4c98-9f5b-5309b2f93003); Time taken: 0.048 seconds
INFO  : OK
+-----------+
| tab_name  |
+-----------+
| testb     |
+-----------+
1 row selected (0.122 seconds)

3.8 测试查询、插入权限等相关操作

(1)测试插入一条数据

#查询 testb 表内容
select * from testb;
#插入一条数据
insert into table testb values (10,'hive10','SH','2023-04-01');
#查询 testb 表内容(因为没有给 select 权限,所以会报错)
0: jdbc:hive2://localhost:10000> select * from testb;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
 User test does not have privileges for QUERY
 The required privileges: Server=server1->Db=hive_test->Table=testb->Column=create_time->action=select->grantOption=false; (state=42000,code=40000)

#插入一条数据
0: jdbc:hive2://localhost:10000> insert into table testb values (10,'hive10','SH','2023-04-01');
INFO  : Compiling command(queryId=hive_20230404111842_b8bdadf2-c6b6-43e0-8dbc-35fde8037edd): insert into table testb values (10,'hive10','SH','2023-04-01')
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:_col0, type:int, comment:null), FieldSchema(name:_col1, type:string, comment:null), FieldSchema(name:_col2, type:string, comment:null), FieldSchema(name:_col3, type:string, comment:null)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230404111842_b8bdadf2-c6b6-43e0-8dbc-35fde8037edd); Time taken: 0.216 seconds
INFO  : Executing command(queryId=hive_20230404111842_b8bdadf2-c6b6-43e0-8dbc-35fde8037edd): insert into table testb values (10,'hive10','SH','2023-04-01')
WARN  : 
INFO  : Query ID = hive_20230404111842_b8bdadf2-c6b6-43e0-8dbc-35fde8037edd
INFO  : Total jobs = 3
INFO  : Launching Job 1 out of 3
INFO  : Starting task [Stage-1:MAPRED] in serial mode
INFO  : Number of reduce tasks is set to 0 since there's no reduce operator
INFO  : number of splits:1
INFO  : Submitting tokens for job: job_1680499262933_0006
INFO  : Executing with tokens: []
INFO  : The url to track the job: http://hadoop105:8088/proxy/application_1680499262933_0006/
INFO  : Starting Job = job_1680499262933_0006, Tracking URL = http://hadoop105:8088/proxy/application_1680499262933_0006/
INFO  : Kill Command = /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/lib/hadoop/bin/hadoop job  -kill job_1680499262933_0006

问题:上面结果显示,没有 select 权限,插入执行未报错,但是执行直接卡住暂停了,当使用hive用户去查看该表也无法查看

CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)_第19张图片

恢复:将卡住shell页面 ctrl+c 退出执行,查询也恢复正常(最后也发现,其实是因为开了防火墙的原因,即便开放了所有hive使用的服务端口,也是有这个情况,为了不影响后续测试,暂时关闭了防火墙)

(2)重新插入数据

0: jdbc:hive2://localhost:10000> insert into table testb values (10,'hive10','SH','2023-04-01');
INFO  : Compiling command(queryId=hive_20230406102417_4620de68-f8ba-4d54-b38b-da2e09a21cd1): insert into table testb values (10,'hive10','SH','2023-04-01')
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:_col0, type:int, comment:null), FieldSchema(name:_col1, type:string, comment:null), FieldSchema(name:_col2, type:string, comment:null), FieldSchema(name:_col3, type:string, comment:null)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230406102417_4620de68-f8ba-4d54-b38b-da2e09a21cd1); Time taken: 0.125 seconds
INFO  : Executing command(queryId=hive_20230406102417_4620de68-f8ba-4d54-b38b-da2e09a21cd1): insert into table testb values (10,'hive10','SH','2023-04-01')
WARN  : 
INFO  : Query ID = hive_20230406102417_4620de68-f8ba-4d54-b38b-da2e09a21cd1
INFO  : Total jobs = 3
INFO  : Launching Job 1 out of 3
INFO  : Starting task [Stage-1:MAPRED] in serial mode
INFO  : Number of reduce tasks is set to 0 since there's no reduce operator
INFO  : number of splits:1
INFO  : Submitting tokens for job: job_1680499262933_0033
INFO  : Executing with tokens: []
INFO  : The url to track the job: http://hadoop105:8088/proxy/application_1680499262933_0033/
INFO  : Starting Job = job_1680499262933_0033, Tracking URL = http://hadoop105:8088/proxy/application_1680499262933_0033/
INFO  : Kill Command = /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/lib/hadoop/bin/hadoop job  -kill job_1680499262933_0033
INFO  : Hadoop job information for Stage-1: number of mappers: 1; number of reducers: 0
INFO  : 2023-04-06 10:24:22,904 Stage-1 map = 0%,  reduce = 0%
INFO  : 2023-04-06 10:24:28,023 Stage-1 map = 100%,  reduce = 0%, Cumulative CPU 2.91 sec
INFO  : MapReduce Total cumulative CPU time: 2 seconds 910 msec
INFO  : Ended Job = job_1680499262933_0033
INFO  : Starting task [Stage-7:CONDITIONAL] in serial mode
INFO  : Stage-4 is selected by condition resolver.
INFO  : Stage-3 is filtered out by condition resolver.
INFO  : Stage-5 is filtered out by condition resolver.
INFO  : Starting task [Stage-4:MOVE] in serial mode
INFO  : Moving data to directory hdfs://hadoop105:8020/user/hive/warehouse/hive_test.db/testb/.hive-staging_hive_2023-04-06_10-24-17_212_2711266780108748282-7/-ext-10000 from hdfs://hadoop105:8020/user/hive/warehouse/hive_test.db/testb/.hive-staging_hive_2023-04-06_10-24-17_212_2711266780108748282-7/-ext-10002
INFO  : Starting task [Stage-0:MOVE] in serial mode
INFO  : Loading data to table hive_test.testb from hdfs://hadoop105:8020/user/hive/warehouse/hive_test.db/testb/.hive-staging_hive_2023-04-06_10-24-17_212_2711266780108748282-7/-ext-10000
INFO  : Starting task [Stage-2:STATS] in serial mode
INFO  : MapReduce Jobs Launched: 
INFO  : Stage-Stage-1: Map: 1   Cumulative CPU: 2.91 sec   HDFS Read: 4747 HDFS Write: 95 HDFS EC Read: 0 SUCCESS
INFO  : Total MapReduce CPU Time Spent: 2 seconds 910 msec
INFO  : Completed executing command(queryId=hive_20230406102417_4620de68-f8ba-4d54-b38b-da2e09a21cd1); Time taken: 12.272 seconds
INFO  : OK
1 row affected (12.414 seconds)

(3)为了便于查看我们授权select权限

#为 test_role 角色添加 select 权限
grant select on table hive_test.testb to role test_role;
#为 test_role 角色添加 select 权限
0: jdbc:hive2://localhost:10000> grant select on table hive_test.testb to role test_role;
INFO  : Compiling command(queryId=hive_20230404135022_a271e8c3-a0dd-404a-afec-bc4e9063cc1f): grant select on table hive_test.testb to role test_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230404135022_a271e8c3-a0dd-404a-afec-bc4e9063cc1f); Time taken: 0.041 seconds
INFO  : Executing command(queryId=hive_20230404135022_a271e8c3-a0dd-404a-afec-bc4e9063cc1f): grant select on table hive_test.testb to role test_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230404135022_a271e8c3-a0dd-404a-afec-bc4e9063cc1f); Time taken: 0.083 seconds
INFO  : OK
No rows affected (0.133 seconds)

#查看 test_role 授权信息
0: jdbc:hive2://localhost:10000> show grant role test_role;
INFO  : Compiling command(queryId=hive_20230404135043_ae58bc77-0b64-424f-9b52-58cf15b299e1): show grant role test_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database, type:string, comment:from deserializer), FieldSchema(name:table, type:string, comment:from deserializer), FieldSchema(name:partition, type:string, comment:from deserializer), FieldSchema(name:column, type:string, comment:from deserializer), FieldSchema(name:principal_name, type:string, comment:from deserializer), FieldSchema(name:principal_type, type:string, comment:from deserializer), FieldSchema(name:privilege, type:string, comment:from deserializer), FieldSchema(name:grant_option, type:boolean, comment:from deserializer), FieldSchema(name:grant_time, type:bigint, comment:from deserializer), FieldSchema(name:grantor, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230404135043_ae58bc77-0b64-424f-9b52-58cf15b299e1); Time taken: 0.042 seconds
INFO  : Executing command(queryId=hive_20230404135043_ae58bc77-0b64-424f-9b52-58cf15b299e1): show grant role test_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230404135043_ae58bc77-0b64-424f-9b52-58cf15b299e1); Time taken: 0.009 seconds
INFO  : OK
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
|  database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   grant_time   | grantor  |
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| hive_test  | testb  |            |         | test_role       | ROLE            | INSERT     | false         | 1680082147000  | --       |
| hive_test  | testb  |            |         | test_role       | ROLE            | SELECT     | false         | 1680587422000  | --       |
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+

(4)查看 testb 表数据

0: jdbc:hive2://localhost:10000> select * from testb;
INFO  : Compiling command(queryId=hive_20230406102530_019e45ee-564d-48f1-b197-3672233496ee): select * from testb
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:testb.id, type:int, comment:null), FieldSchema(name:testb.name, type:string, comment:null), FieldSchema(name:testb.area, type:string, comment:null), FieldSchema(name:testb.create_time, type:string, comment:null)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230406102530_019e45ee-564d-48f1-b197-3672233496ee); Time taken: 0.232 seconds
INFO  : Executing command(queryId=hive_20230406102530_019e45ee-564d-48f1-b197-3672233496ee): select * from testb
INFO  : Completed executing command(queryId=hive_20230406102530_019e45ee-564d-48f1-b197-3672233496ee); Time taken: 0.0 seconds
INFO  : OK
+-----------+-------------+-------------+--------------------+
| testb.id  | testb.name  | testb.area  | testb.create_time  |
+-----------+-------------+-------------+--------------------+
| 1         | hive1       | JH          | 2023-04-01         |
| 2         | hive2       | CB          | 2023-04-01         |
| 3         | hive3       | NG          | 2023-04-01         |
| 4         | hive4       | DA          | 2023-04-01         |
| 5         | hive5       | RH          | 2023-04-01         |
| 6         | hive6       | CZ          | 2023-04-01         |
| 7         | hive7       | TS          | 2023-04-01         |
| 8         | hive8       | KJ          | 2023-04-01         |
| 9         | hive9       | EF          | 2023-04-01         |
| 10        | hive10      | SH          | 2023-04-01         |
+-----------+-------------+-------------+--------------------+
10 rows selected (0.298 seconds)

        到此关于在未启用安全认证环境下,对 hive 的一个权限控制测试就结束了,下篇是关于启用 Kerberos 安全认证环境的一个过程和配置。

你可能感兴趣的:(CDH,hadoop,hive,大数据)