hive有两种类型的权限控制方式:
一、Storage Based Authorization in the Metastore Server
通过Hcatcalog API访问hive数据的方式,实际是通过访问metastore元数据的形式访问hive数据,这类有MapReduce,Impala,Pig,Spark SQL,Hive Command line等方式
其实是通过hdfs(Hadoop File System)文件系统控制-d-r-w等权限来实现,这里需要借助hdfs setfacl命令
1)在hive-site.xml配置文件里配置如下选项
<property><name>hive.security.metastore.authorization.manager</name><value>org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider</value><description>authorization manager class name to be used in the metastore for authorization.The user defined authorization class should implement interfaceorg.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider.</description></property><property><name>hive.security.metastore.authenticator.manager</name><value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value><description>authenticator manager class name to be used in the metastore for authentication.The user defined authenticator should implement interfaceorg.apache.hadoop.hive.ql.security.HiveAuthenticationProvider.</description></property><property><name>hive.metastore.pre.event.listeners</name><value> </value><description>pre-event listener classes to be loaded on the metastore side to run codewhenever databases, tables, and partitions are created, altered, or dropped.Set to org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListenerif metastore-side authorization is desired.</description></property>
2)使用setfacl为用户在hive数仓路径分配权限
2.1)创建一个新用户 test
hdfs dfs -mkdir /user/test
2.2)分配权限用户组 用户组:用户
hdfs dfs -chown test:test /user/test
2.3)查看详情
hdfs dfs -ls /user/testdrwxr-xr-x - testtest0 -07-14 15:06 /user/test
2.4)授予test对warehouse文件夹rwx权限
hadoop fs -setfacl -m user:test:rwx /user/hive/warehouse
2.5)授予hivegrp对warehouse文件夹rwx权限
hadoo fs -setfacl -m group:hivegrp:rwx /user/hive/warehouse
二、SQL Standards Based Authorization in HiveServer2
通过hiveserver2的方式访问hive数据,默认提供两种角色:public和admin,所有用户默认属于角色public,而授权则必须是具有角色admin的用户才可以完成(普通用户仅可以将自己获得的权限授权给其它用户),因此我们必须添加至少一个用户拥有角色admin
1)通过在hive-site.xml中配置获得admin权限,hive配置项
<property><name>hive.security.authorization.enabled</name><value>true</value></property><property><name>hive.security.authorization.createtable.owner.grants</name><value>ALL</value></property><property><name>hive.security.authorization.task.factory</name><value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value></property><property><name>hive.users.in.admin.role</name><value>hdfs</value></property>
含义分别是开启权限验证;表的创建者对表拥有所有权限
hive.security.authorization.createtable.owner.grants默认值为NULL,所以表的创建者无法访问该表,这明显是不合理的。
Hive授权的核心就是用户、组、角色。
Hive中的角色和平常我们认知的角色是有区别的。Hive中的角色可以理解为一部分有一些相同“属性”的用户或组或角色的集合。这里有个递归的概念,就是一个角色可以是一些角色的集合。
2)创建/删除角色命令用户和组使用的是Linux机器上的用户和组,而角色必须自己(hive)创建。
#获取管理员权限set role admin;#查看当前创建的所有roleshow roles;#新建角色 testscreate role tests;#删除角色 testsdrop role tests;
3)授权/移除权限命令
grant/revoke:GRANT ROLE role_name [, role_name] ... TO principal_specification [, principal_specification] ... REVOKE ROLE role_name [, role_name] ... FROM principal_specification [, principal_specification] ... principal_specification :USER user | GROUP group | ROLE role eg:grant role outs to user out_user; show role grant user yinxiu; result:hive> show role grant user out_user;OKadmin false 1594783028000 hadoopouts false 1594712987000 hadooppublic false 0Time taken: 0.145 seconds, Fetched: 3 row(s)
HIVE支持以下权限:
常用的:ALL、CREATE、SELECT(目前只使这三种)
GRANT\REVOKE:GRANTpriv_type [(column_list)] [, priv_type [(column_list)]] ...[ON object_type]TO principal_specification [, principal_specification] ...[WITH GRANT OPTION] REVOKEpriv_type [(column_list)] [, priv_type [(column_list)]] ...[ON object_type priv_level]FROM principal_specification [, principal_specification] ... REVOKE ALL PRIVILEGES, GRANT OPTIONFROM user [, user] ... object_type: TABLE | DATABASE priv_level: db_name | tbl_name eg:grant select on database default to user out_user;revoke all on database default from user out_user;
4)查看授权用户
查看权限:
SHOW GRANT principal_specification [ON object_type priv_level [(column_list)]]
HIVE操作和权限之间的关系
As of the release of Hive 0.7, only these operations require permissions, according to org.apache.hadoop.hive.ql.plan.HiveOperation:
eg:show grant user out_user on database default;result:1594696143000 hadoopdb_appsout_user USER SELECT false Time taken: 0.031 seconds, Fetched: 1 row(s)
5)主要命令如下,记住即可:
grant select on database 数据库 to 用户名;eg: grant select on database db_source to user zhangsan;check eg: show grant user zhangsan on database db_source;grant select on table 表名 to 用户名;eg: grant select on table db_source.xx_xx_log_d to user zhangsan; //没写db_source就是defaultcheck eg: show grant user zhangsan on table db_source.xx_xx_log_d;grant select on database 数据库 to role admin;eg: grant select on database db_source to role admin;check eg: show grant role admin on database db_source;grant select on table 表名 to role admin;eg: grant select on table db_source.xx_xx_log_d to role admin; //没写db_source就是defaultcheck eg: show grant role admin on table db_source.xx_xx_log_d;
拓展beeline 直接测试:
beeline -u 'jdbc:hive2://192.168.10.1:2181,192.168.10.2:2181,192.168.10.3:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2' -n zhangsan --outputformat=tsv2 --showHeader=false
beeline -u 'jdbc:hive2://192.168.10.1:2181,192.168.10.2:2181,192.168.10.3:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2' -n hadoop --outputformat=tsv2 --showHeader=false
参考链接:
/yejibigdata/p/6394719.html
/javajxz008/article/details/81084744
/yurunmiao/p/4449439.html