EMR上Hive ACL配置
原创EMR上Hive ACL配置
原创
- hive-site.xml配置(配置中设置了hadoop为admin用户):
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.server2.enable.doAs</name>
<value>false</value>
</property>
<property>
<name>hive.users.in.admin.role</name>
<value>hadoop</value>
</property>
<property>
<name>hive.security.metastore.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly</value>
</property>
<property>
<name>hive.security.metastore.authenticator.manager</name>
<value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
</property>
<property>
<name>hive.security.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory</value>
</property>- hiveserver2-site.xml配置:
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration>
<property>
<name>hive.security.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
</property>
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authenticator.manager</name>
<value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
</property>
</configuration>- 重启hiveserver2
到目前为止,hive就已经支持acl功能了。现在来看看如果使用acl功能(常用命令)。
- beeline登录hive(使用admin账号:hadoop):
beeline -u "jdbc:hive2://localhost:7001/" -n hadoop
- 切换当前用户为admin权限:set role admin;
- 角色命令: 创建角色:create role role_name; 查看角色:drop role role_name; 删除角色:drop role role_name;
- 角色权限命令: 给角色设置权限:grant select on table table_name to role role_name; 解除:revoke select on table table_name from role role_name; 查看角色的权限:show grant role role_name on table table_name;
- 权限包含: 1.SELECT:赋予读取某个对象的权限 2.INSERT:赋予添加数据至某个对象(表)的权限 3.UPDATE:赋予在某个对象(表)上执行更新操作的权限; 4.DELETE:赋予在某个对象(表)上删除数据的权限; 5.ALL:赋予在某个对象上的所有权限(被转换成拥有上面四个权限)
- 角色用户命令: 给用户分配角色:grant role_name to USER user_name; 解除使用:revoke role_name from USER user_name; 查询用户有什么角色:show role grant user user_name; 查看角色下有哪些用户:show principals role_name;
目前为止,大概知道了如果使用hive的acl了,接下来实际给个例子,使用acl:
=====创建表及数据 create table if not exists table1 (name string) ROW FORMAT DELIMITED FIELDS TERMINATED BY ','; create table if not exists table2 (name string) ROW FORMAT DELIMITED FIELDS TERMINATED BY ','; create table if not exists table3 (name string) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',';
insert into table1 values ('t1-1'),('t1-2'); insert into table2 values ('t2-1'),('t2-2'); insert into table3 values ('t3-1'),('t3-2'); ========权限设计 1. 数据组(dev可读可写tabel1和table2),运营组(om可读table1和table2),boss组(可读table1、table2和table3,同时可写table3) 2. 给dev_1用户分配dev的role,给om_1分配om的role,给boss_1分配boss的role
=======实操 利用hadoop登录:beeline -u "jdbc:hive2://localhost:7001/" -n hadoop 切换admin角色:set role admin; 创建角色: create role dev; create role om; create role boss; show roles;
角色分配权限: grant ALL on table table1 to role dev; grant ALL on table table2 to role dev; grant select on table table1 to role om; grant select on table table2 to role om; grant select on table table1 to role boss; grant select on table table2 to role boss; grant ALL on table table3 to role boss; show grant role dev on table table1; show grant role om on table table1; show grant role boss on table table1; show grant role dev on table table2; show grant role om on table table2; show grant role boss on table table2; show grant role dev on table table3; show grant role om on table table3; show grant role boss on table table3;
让用户绑定角色: grant dev to USER dev_1; grant om to USER om_1; grant boss to USER boss_1; show role grant user dev_1; show role grant user om_1; show role grant user boss_1;
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。