背景
EMR集群新增Hive-beeline权限管控操作 1.默认的权限对表的控制权限只有下面四种。
代码语言:javascript复制SELECT
INSERT
UPDATE
DELETE
ALL (ALL PRIVILEGES)2.create/drop table的权限和库的Ownership有关。
配置方式
hive-site.xml配置(控制台配置)
代码语言:javascript复制<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.server2.enable.doAs</name>
<value>false</value>
</property>
<property>
<name>hive.users.in.admin.role</name>
<value>hadoop</value>
</property>
<property>
<name>hive.security.metastore.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly</value>
</property>
<property>
<name>hive.security.metastore.authenticator.manager</name>
<value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
</property>
<property>
<name>hive.security.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory</value>
</property>hiveserver2-site.xml配置
(机器上新增/usr/local/services/hive/conf/hiveserver2-site.xml,且赋予hadoop权限)
代码语言:javascript复制<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration>
<property>
<name>hive.security.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
</property>
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authenticator.manager</name>
<value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
</property>
</configuration>重启hiveserver2
到目前为止,hive就已经支持acl功能了。现在来看看如果使用acl功能(常用命令)。
权限介绍
beeline登录hive
(使用admin账号:hadoop)
代码语言:javascript复制beeline -u "jdbc:hive2://localhost:7001/" -n hadoop -p hadoop切换当前用户为admin权限
代码语言:javascript复制set role admin角色命令
代码语言:javascript复制创建角色:create role role_name;
查看角色:drop role role_name;
删除角色:drop role role_name; 权限包含
代码语言:javascript复制1.SELECT:赋予读取某个对象的权限
2.INSERT:赋予添加数据至某个对象(表)的权限
3.UPDATE:赋予在某个对象(表)上执行更新操作的权限;
4.DELETE:赋予在某个对象(表)上删除数据的权限;
5.ALL:赋予在某个对象上的所有权限(被转换成拥有上面四个权限)角色用户命令
代码语言:javascript复制给用户分配角色:grant role_name to USER user_name;
解除使用:revoke role_name from USER user_name;
查询用户有什么角色:show role grant user user_name;
查看角色下有哪些用户:show principals role_name;使用案例
创建表及数据
代码语言:javascript复制create table if not exists table1 (name string) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',';
create table if not exists table2 (name string) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',';
create table if not exists table3 (name string) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',';
insert into table1 values ('t1-1'),('t1-2');
insert into table2 values ('t2-1'),('t2-2');
insert into table3 values ('t3-1'),('t3-2');权限设计
代码语言:javascript复制1. 数据组(dev可读可写tabel1和table2),运营组(om可读table1和table2),boss组(可读table1、table2和table3,同时可写table3)
2. 给dev_1用户分配dev的role,给om_1分配om的role,给boss_1分配boss的role利用hadoop登录 beeline -u "jdbc:hive2://localhost:7001/" -n hadoop
切换admin角色
代码语言:javascript复制set role admin创建角色
代码语言:javascript复制create role dev;
create role om;
create role boss;
show roles;角色分配权限
代码语言:javascript复制grant ALL on table table1 to role dev;
grant ALL on table table2 to role dev;
grant select on table table1 to role om;
grant select on table table2 to role om;
grant select on table table1 to role boss;
grant select on table table2 to role boss;
grant ALL on table table3 to role boss;
show grant role dev on table table1;
show grant role om on table table1;
show grant role boss on table table1;
show grant role dev on table table2;
show grant role om on table table2;
show grant role boss on table table2;
show grant role dev on table table3;
show grant role om on table table3;
show grant role boss on table table3;用户绑定角色
代码语言:javascript复制 grant dev to USER dev_1;
grant om to USER om_1;
grant boss to USER boss_1;
show role grant user dev_1;
show role grant user om_1;
show role grant user boss_1;修改create/drop table权限
需要修改库的所有权,一般讲库的所有权改为public,那么所有用户都可以在该库创建表
代码语言:javascript复制alter DATABASE name set owner ROLE public;我正在参与2023腾讯技术创作特训营第三期有奖征文,组队打卡瓜分大奖!
邀请人:岳涛,社区ID:7348459
