Hive权限配置

2023-11-21 14:42:48 浏览数 (2)

背景

EMR集群新增Hive-beeline权限管控操作 1.默认的权限对表的控制权限只有下面四种。

代码语言:javascript复制
SELECT 
INSERT 
UPDATE 
DELETE 
 ALL (ALL PRIVILEGES)

2.create/drop table的权限和库的Ownership有关。

配置方式

hive-site.xml配置(控制台配置)

代码语言:javascript复制
<property>
	<name>hive.security.authorization.enabled</name>
	<value>true</value>
</property>
<property>
	<name>hive.server2.enable.doAs</name>
	<value>false</value>
</property>
<property>
	<name>hive.users.in.admin.role</name>
	<value>hadoop</value>
</property>
<property>
	<name>hive.security.metastore.authorization.manager</name>
	<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly</value>
</property>
<property>
	<name>hive.security.metastore.authenticator.manager</name>
	<value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
</property>
<property>
	<name>hive.security.authorization.manager</name>
	<value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory</value>
</property>

hiveserver2-site.xml配置

(机器上新增/usr/local/services/hive/conf/hiveserver2-site.xml,且赋予hadoop权限)

代码语言:javascript复制
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration>
	<property>
		<name>hive.security.authorization.manager</name>
		<value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
	</property>

	<property>
		<name>hive.security.authorization.enabled</name>
		<value>true</value>
	</property>

	<property>
		<name>hive.security.authenticator.manager</name>
		<value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
	</property>
</configuration>

重启hiveserver2

到目前为止,hive就已经支持acl功能了。现在来看看如果使用acl功能(常用命令)。

权限介绍

beeline登录hive

(使用admin账号:hadoop)

代码语言:javascript复制
beeline -u "jdbc:hive2://localhost:7001/" -n hadoop -p hadoop

切换当前用户为admin权限

代码语言:javascript复制
set role admin

角色命令

代码语言:javascript复制
创建角色:create role role_name; 
查看角色:drop role role_name; 
删除角色:drop role role_name; 

权限包含

代码语言:javascript复制
1.SELECT:赋予读取某个对象的权限
2.INSERT:赋予添加数据至某个对象(表)的权限
3.UPDATE:赋予在某个对象(表)上执行更新操作的权限;
4.DELETE:赋予在某个对象(表)上删除数据的权限;
5.ALL:赋予在某个对象上的所有权限(被转换成拥有上面四个权限)

角色用户命令

代码语言:javascript复制
给用户分配角色:grant role_name to USER user_name;
解除使用:revoke role_name from USER user_name; 
查询用户有什么角色:show role grant user user_name;
查看角色下有哪些用户:show principals role_name;

使用案例

创建表及数据

代码语言:javascript复制
create table if not exists table1 (name string) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',';
create table if not exists table2 (name string) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',';
create table if not exists table3 (name string) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',';

insert into table1 values ('t1-1'),('t1-2');
insert into table2 values ('t2-1'),('t2-2');
insert into table3 values ('t3-1'),('t3-2');

权限设计

代码语言:javascript复制
1. 数据组(dev可读可写tabel1和table2),运营组(om可读table1和table2),boss组(可读table1、table2和table3,同时可写table3)
2. 给dev_1用户分配dev的role,给om_1分配om的role,给boss_1分配boss的role

利用hadoop登录 beeline -u "jdbc:hive2://localhost:7001/" -n hadoop

切换admin角色

代码语言:javascript复制
set role admin

创建角色

代码语言:javascript复制
create role dev;
create role om;
create role boss;
show roles;

角色分配权限

代码语言:javascript复制
grant ALL on table table1 to role dev;  
grant ALL on table table2 to role dev;   
grant select on table table1 to role om;  
grant select on table table2 to role om;   
grant select on table table1 to role boss;  
grant select on table table2 to role boss; 
grant ALL on table table3 to role boss;   
show grant role dev on table table1;  
show grant role om on table table1;  
show grant role boss on table table1;   
show grant role dev on table table2;  
show grant role om on table table2;  
show grant role boss on table table2;   
show grant role dev on table table3;  
show grant role om on table table3;  
show grant role boss on table table3;

用户绑定角色

代码语言:javascript复制
 grant dev to USER dev_1;
 grant om to USER om_1;
 grant boss to USER boss_1;

 show role grant user dev_1;
 show role grant user om_1;
 show role grant user boss_1;

修改create/drop table权限

需要修改库的所有权,一般讲库的所有权改为public,那么所有用户都可以在该库创建表

代码语言:javascript复制
alter DATABASE name set owner ROLE public;

我正在参与2023腾讯技术创作特训营第三期有奖征文,组队打卡瓜分大奖!

邀请人:岳涛,社区ID:7348459

0 人点赞