测试Hive集成Sentry
本文在安装和配置Sentry基础之上测试Hive集成Sentry。注意:这里Hive中并没有配置Kerberos认证。
关于配置了Kerberos的Hive集群如何集成Sentry,请参考配置安全的Hive集群集成Sentry。
1. 配置Sentry 2. 配置Hive Hive Metastore集成Sentry需要在 /etc/hive/conf/hive-site.xml中添加:
property name hive.metastore.pre.event.listeners /name value org.apache.sentry.binding.metastore.MetastoreAuthzBinding /value /property property name hive.metastore.event.listeners /name value org.apache.sentry.binding.metastore.SentryMetastorePostEventListener /value /propertyHive-server2集成Sentry
修改 /etc/hive/conf/hive-site.xml,添加以下内容:
property name hive.server2.enable.impersonation /name value true /value /property property name hive.security.authorization.task.factory /name value org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl /value /property property name hive.server2.session.hook /name value org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook /value /property property name hive.sentry.conf.url /name value file:///etc/hive/conf/sentry-site.xml /value /property
参考模板sentry-site.xml.hive-client.template在 /etc/hive/conf/ 目录创建 sentry-site.xml:
?xml version="1.0" encoding="UTF-8"? configuration property name sentry.service.client.server.rpc-port /name value 8038 /value /property property name sentry.service.client.server.rpc-address /name value cdh1 /value /property property name sentry.service.client.server.rpc-connection-timeout /name value 200000 /value /property !--以下是客户端配置-- property name sentry.provider /name value org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider /value /property property name sentry.hive.provider.backend /name value org.apache.sentry.provider.db.SimpleDBProviderBackend /value /property property name sentry.metastore.service.users /name value hive /value !--queries made by hive user (beeline) skip meta store check-- /property property name sentry.hive.server /name value server1 /value /property property name sentry.hive.testing.mode /name value true /value /property /configuration3. 重启Hive
在cdh1上启动或重启hiveserver2:
$ /etc/init.d/hive-server2 restart4. 准备测试数据
参考 Securing Impala for analysts,准备测试数据:
$ cat /tmp/events.csv 10.1.2.3,US,android,createNote 10.200.88.99,FR,windows,updateNote 10.1.2.3,US,android,updateNote 10.200.88.77,FR,ios,createNote 10.1.4.5,US,windows,updateTag
然后,在hive中运行下面 sql 语句:
create database sensitive; create table sensitive.events ( ip STRING, country STRING, client STRING, action STRING ) ROW FORMAT DELIMITED FIELDS TERMINATED BY ,; load data local inpath /tmp/events.csv overwrite into table sensitive.events; create database filtered; create view filtered.events as select country, client, action from sensitive.events; create view filtered.events_usonly as select * from filtered.events where country = US;
在 cdh1上通过 beeline 连接 hiveserver2,运行下面命令创建角色和组:
# 注意:我设置了hiveserver2的jdbc端口为10001 $ beeline -u "jdbc:hive2://cdh1:10001/" -n hive -p hive -d org.apache.hive.jdbc.HiveDriver
执行下面的 sql 语句创建 role、group等:
create role admin_role; GRANT ALL ON SERVER server1 TO ROLE admin_role; GRANT ROLE admin_role TO GROUP admin; GRANT ROLE admin_role TO GROUP hive; create role test_role; GRANT ALL ON DATABASE filtered TO ROLE test_role; GRANT ROLE test_role TO GROUP test;
上面创建了两个角色:
admin_role,具有管理员权限,可以读写所有数据库,并授权给 admin 和 hive 组(对应操作系统上的组) test_role,只能读写 filtered 数据库,并授权给 test 组。因为系统上没有test用户和组,所以需要手动创建:
$ useradd test5. 测试 测试admin_role角色
使用hive用户访问beeline:
$ beeline -u "jdbc:hive2://cdh1:10000/" -n hive -p hive -d org.apache.hive.jdbc.HiveDriver
查看当前系统用户是谁:
0: jdbc:hive2://cdh1:10000/ set system:user.name; +------------------------+--+ | set | +------------------------+--+ | system:user.name=hive | +------------------------+--+ 1 row selected (0.188 seconds)
hive属于admin_role组,具有管理员权限,可以查看所有角色:
0: jdbc:hive2://cdh1:10000/ show roles; +-------------+--+ | role | +-------------+--+ | test_role | | admin_role | +-------------+--+ 2 rows selected (0.199 seconds)
查看所有权限:
0: jdbc:hive2://cdh1:10000/ SHOW GRANT ROLE test_role; +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+---------------+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+---------------+ | filtered | | | | test_role | ROLE | * | false | 1430293474047000 | +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+---------------+ 0: jdbc:hive2://cdh1:10000/ SHOW GRANT ROLE admin_role; +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+---------------+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+---------------+ | * | | | | admin_role | ROLE | * | false | 1430293473308000 +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+---------------+ 1 row selected (0.16 seconds)
hive用户可以查看所有数据库、访问所有表:
0: jdbc:hive2://cdh1:10000/ show databases; +----------------+--+ | database_name | +----------------+--+ | default | | filtered | | sensitive | +----------------+--+ 3 rows selected (0.391 seconds) 0: jdbc:hive2://cdh1:10000/ use filtered; No rows affected (0.101 seconds) 0: jdbc:hive2://cdh1:10000/ select * from filtered.events; +-----------------+----------------+----------------+--+ | events.country | events.client | events.action | +-----------------+----------------+----------------+--+ | US | android | createNote | | FR | windows | updateNote | | US | android | updateNote | | FR | ios | createNote | | US | windows | updateTag | +-----------------+----------------+----------------+--+ 5 rows selected (0.431 seconds) 0: jdbc:hive2://cdh1:10000/ select * from sensitive.events; +---------------+-----------------+----------------+----------------+--+ | events.ip | events.country | events.client | events.action | +---------------+-----------------+----------------+----------------+--+ | 10.1.2.3 | US | android | createNote | | 10.200.88.99 | FR | windows | updateNote | | 10.1.2.3 | US | android | updateNote | | 10.200.88.77 | FR | ios | createNote | | 10.1.4.5 | US | windows | updateTag | +---------------+-----------------+----------------+----------------+--+ 5 rows selected (0.247 seconds)测试test_role角色
使用test用户访问beeline:
$ beeline -u "jdbc:hive2://cdh1:10000/" -n test -p test -d org.apache.hive.jdbc.HiveDriver
查看当前系统用户是谁:
0: jdbc:hive2://cdh1:10000/ set system:user.name; +------------------------+--+ | set | +------------------------+--+ | system:user.name=hive | +------------------------+--+ 1 row selected (0.188 seconds)
test用户不是管理员,是不能查看所有角色的:
0: jdbc:hive2://cdh1:10000/ show roles; ERROR : Error processing Sentry command: Access denied to test. Server Stacktrace: org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to test
test用户可以列出所有数据库:
0: jdbc:hive2://cdh1:10000/ show databases; +----------------+--+ | database_name | +----------------+--+ | default | | filtered | | sensitive | +----------------+--+ 3 rows selected (0.079 seconds)
test用户可以filtered库:
0: jdbc:hive2://cdh1:10000/ use filtered; No rows affected (0.206 seconds) 0: jdbc:hive2://cdh1:10000/ select * from events; +-----------------+----------------+----------------+--+ | events.country | events.client | events.action | +-----------------+----------------+----------------+--+ | US | android | createNote | | FR | windows | updateNote | | US | android | updateNote | | FR | ios | createNote | | US | windows | updateTag | +-----------------+----------------+----------------+--+ 5 rows selected (0.361 seconds)
但是,test用户没有权限访问sensitive库:
0: jdbc:hive2://cdh1:10000/ use sensitive; Error: Error while compiling statement: FAILED: SemanticException No valid privileges Required privileges for this query: Server=server1- Db=sensitive- Table=*- action=insert;Server=server1- Db=sensitive- Table=*- action=select; (state=42000,code=40000)6. 排错
在CDH5的高版本中,hive cli 不建议使用,在hive集成sentry之后,再运行hive cli 会提示找不到sentry的类的遗产,解决办法是,将sentry相关的jar包链接到hive的home目录下的lib目录下:
ln -s /usr/lib/sentry/lib/sentry-binding-hive.jar /usr/lib/hive/lib/ ln -s /usr/lib/sentry/lib/sentry-core-common.jar /usr/lib/hive/lib ln -s /usr/lib/sentry/lib/sentry-core-common-db.jar /usr/lib/hive/lib ln -s /usr/lib/sentry/lib/sentry-policy-common.jar /usr/lib/hive/lib ln -s /usr/lib/sentry/lib/sentry-policy-db.jar /usr/lib/hive/lib ln -s /usr/lib/sentry/lib/sentry-policy-cache.jar /usr/lib/hive/lib ln -s /usr/lib/sentry/lib/sentry-provider-common.jar /usr/lib/hive/lib ln -s /usr/lib/sentry/lib/sentry-provider-db.jar /usr/lib/hive/lib ln -s /usr/lib/sentry/lib/sentry-provider-cache.jar /usr/lib/hive/lib ln -s /usr/lib/sentry/lib/sentry-provider-file.jar /usr/lib/hive/lib
【大数据开发运维解决方案】Sqoop增量同步mysql/oracle数据到hive(merge-key/append)测试文档 上一篇文章介绍了sqoop全量同步数据到hive, 本片文章将通过实验详细介绍如何增量同步数据到hive,以及sqoop job与crontab定时结合无密码登录的增量同步实现方法。
雨客 微博@JavaChen,这里的所有博客文章来自http://blog.javachen.com/。
相关文章
- Meter - 连续性能测试 - JMeter + ANT + Jenkins集成 - 第1部分
- Jmeter集成Jira提交缺陷
- windows本地自动集成代码+SSH服务器配置
- vscode集成eslint
- 用POSTFIX,DOVECOT,OPENWEBMAIL集成在CENTOS上
- Angularjs集成第三方插件 Uploadify
- Spring boot2X集成zuul与consul实现负载均衡和反向代理
- NoSQL之Redis(五)--- Redis测试以及其与spring的集成
- Jenkins 常用的项目构建工具集成 02 Gradle
- Spring MVC集成Log4j
- 使用JAD集成到Eclipse里去,方便地查看任意Java类的源代码
- SAP UI5 应用开发教程之八十一 - 采用 OPA5 进行 SAP UI5 集成测试(Integration Test)的一个例子试读版
- 华为OD机试 - 微服务的集成测试(Java & JS & Python)
- 〖Python WEB 自动化测试实战篇⑮〗 实战 - 自动化测试的持续集成
- 全干工程师神器 - Jmeter 10 - Jmeter持续集成介绍及轻量级接口自动化测试框架(思维导图)
- 全干工程师神器 - Jmeter 09 - Jmeter持续集成介绍及轻量级接口自动化测试框架
- Splunk集成Kafka配置方法
- 评估篇 | 单元测试评估也能复用到集成测试?脚本帮你高效评估
- 用例篇 | 单元测试用例复用到集成测试?Testlet Library来助力(上)
- 一文2000字从0到1讲述持续集成下接口自动化测试实践
- 一文3500字教你Postman+Newman+Git+Jenkins实现接口自动化测试持续集成
- 自动化集成:Jenkins管理工具详解
- Lifecycle for overriding binding, validation, etc,易于同其它View框架(Tiles等)无缝集成,采用IOC便于测试。
- 【机器学习】模型融合Ensemble和集成学习Stacking的实现
- Jenkins+Docker+SpringCloud微服务持续集成(上)
- 全干工程师神器 - Jmeter 10 - Jmeter持续集成介绍及轻量级接口自动化测试框架(思维导图)