一、实践心得
主要参考这个连接,里面说得也挺详细的。http://www.aboutyun.com/thread-12549-1-1.html
总结如下:
1、若赋予用户某个表的权限,查用户在该表所属数据库的权限,是查询不出来的,要指定到那张表
2、若要赋予用户db1数据库下的t1表权限,首先要在执行 use db1;
3、编写钩子函数时,经过我自己的测试,这边是hive0.13版本,感觉非超级管理员的grant、revoke控制不了,而create role r_name是可以控制,证明该控制类是起作用的,不知道是HiveParser.TOK_XXXX有遗漏还是其他问题,或者可以直接用ast.getToken().getText()与"TOK_CREATEROLE"字符匹配,这样是没问题。
4、以上的hive权限控制,只适合于hive cli控制权限,若用jdbc、thrift接口或hue查询页面是不能起到权限控制的,所以不是完全安全的,只是用来防止用户不小心做了不适合的事情,而不是防止坏人干坏事的。
5、倘若想更好更安全控制hive权限,可以使用Kerberos认证,听说Kerberos很强大,并且可以管理hdfs与hbase等。
简单归纳如下,方便以后查询,主要分两步,第一,修改配置文件;第二,熟悉授权语法。
二、修改配置文件
1、修改hive-site.xml
- <!--参数调优-->
- <property>
- <name>hive.exec.parallel</name>
- <value>true</value>
- <description>Whether to execute jobs in parallel</description>
- </property>
- <property>
- <name>hive.exec.parallel.thread.number</name>
- <value>16</value>
- <description>How many jobs at most can be executed in parallel</description>
- </property>
- <!-- 权限配置-->
- <!-- 开启hive cli的控制权限 -->
- <property>
- <name>hive.security.authorization.enabled</name>
- <value>true</value>
- <description>enable or disable the hive clientauthorization</description>
- </property>
- <!-- 定义表创建者的权限 -->
- <property>
- <name>hive.security.authorization.createtable.owner.grants</name>
- <value>ALL</value>
- <description>
- the privileges automatically granted to the owner whenever a table gets created.
- </description>
- </property>
- <!-- 在做类似drop partition操作时,metastore是否要认证权限,默认是false -->
- <property>
- <name>hive.metastore.authorization.storage.checks</name>
- <value>true</value>
- <description>
- Should the metastore do authorization checks against
- the underlying storage for operations like drop-partition (disallow
- the drop-partition if the user in question doesn't have permissions
- to delete the corresponding directory on the storage).
- </description>
- </property>
- <!-- 非安全模式,设置为true会令metastore以客户端的用户和组权限执行DFS操作,默认是false,这个属性需要服务端和客户端同时设置 -->
- <property>
- <name>hive.metastore.execute.setugi</name>
- <value>false</value>
- <description>
- In unsecure mode, setting this property to true will cause the metastore to execute DFS operations using the client's reported user
- and group permissions. Note that this property must be set on both the client
- and server sides. Further note that its best effort. If client sets its to true and server sets it to false, client setting will be ignored.
- </description>
- </property>
- <!-- 配置超级管理员,需要自定义控制类继承这个AbstractSemanticAnalyzerHook-->
- <property>
- <name>hive.semantic.analyzer.hook</name>
- <value>com.kent.test.AuthorityHook</value>
- </property>
- <!-- 假如出现以下错误:
- Error while compiling statement: FAILED: SemanticException The current builtin authorization in Hive is incomplete and disabled.
- 需要配置下面的属性 -->
- <property>
- <name>hive.security.authorization.task.factory</name>
- <value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
- </property>
2、自定义控制类(继承AbstractSemanticAnalyzerHook)
- package com.kent.test;
- import org.apache.hadoop.hive.ql.parse.ASTNode;
- import org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook;
- import org.apache.hadoop.hive.ql.parse.HiveParser;
- import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext;
- import org.apache.hadoop.hive.ql.parse.SemanticException;
- import org.apache.hadoop.hive.ql.session.SessionState;
- public class AuthorityHook extends AbstractSemanticAnalyzerHook {
- private static String[] admin = {"admin", "root"};
- @Override
- public ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context,ASTNode ast) throws SemanticException {
- switch (ast.getToken().getType()) {
- case HiveParser.TOK_CREATEDATABASE:
- case HiveParser.TOK_DROPDATABASE:
- case HiveParser.TOK_CREATEROLE:
- case HiveParser.TOK_DROPROLE:
- case HiveParser.TOK_GRANT:
- case HiveParser.TOK_REVOKE:
- case HiveParser.TOK_GRANT_ROLE:
- case HiveParser.TOK_REVOKE_ROLE:
- String userName = null;
- if (SessionState.get() != null&&SessionState.get().getAuthenticator() != null){
- userName=SessionState.get().getAuthenticator().getUserName();
- }
- if (!admin[0].equalsIgnoreCase(userName) && !admin[1].equalsIgnoreCase(userName)) {
- throw new SemanticException(userName + " can't use ADMIN options, except "
- + admin[0]+","+admin[1] +".");
- }
- break;
- default:
- break;
- }
- return ast;
- }
- public static void main(String[] args) throws SemanticException {
- String[] admin = {"admin", "root"};
- String userName = "root";
- for(String tmp: admin){
- System.out.println(tmp);
- if (!tmp.equalsIgnoreCase(userName)) {
- throw new SemanticException(userName + " can't use ADMIN options, except "
- + admin[0]+","+admin[1] +".");
- }
- }
- }
- }
三、权限控制语法
1、角色权限控制
- --创建和删除角色
- create role role_name;
- drop role role_name;
- --展示所有roles
- show roles
- --赋予角色权限
- grant select on database db_name to role role_name;
- grant select on [table] t_name to role role_name;
- --查看角色权限
- show grant role role_name on database db_name;
- show grant role role_name on [table] t_name;
- --角色赋予用户
- grant role role_name to user user_name
- --回收角色权限
- revoke select on database db_name from role role_name;
- revoke select on [table] t_name from role role_name;
- --查看某个用户所有角色
- show role grant user user_name;
2、用户角色控制
1)权限控制表
- 操作(opera) 解释
- ALL 所有权限
- ALTER 允许修改元数据(modify metadata data of object)---表信息数据
- UPDATE 允许修改物理数据(modify physical data of object)---实际数据
- CREATE 允许进行Create操作
- DROP 允许进行DROP操作
- INDEX 允许建索引(目前还没有实现)
- LOCK 当出现并发的使用允许用户进行LOCK和UNLOCK操作
- SELECT 允许用户进行SELECT操作
- SHOW_DATABASE 允许用户查看可用的数据库
2)语法
- --赋予用户权限
- grant opera on database db_name to user user_name;
- grant opera on [table] t_name to user user_name;
- --回收用户权限
- revoke opera on database db_name from user user_name;
- --查看用户权限
- show grant user user_name on database db_name;
- show grant user user_name on [table] t_name;