HIVE权限控制
数据分析小伙伴需要通过hue客户端对hive的数据进行查询,主要创建三个用户,Hue账号,linux账号,hive中角色。
Hue添加用户
通过Hue访问hive,首先要在Hue创建登录用户并授予权限。
Linux添加用户
useradd allsel #添加用户
passwd allsel #设置用户密码
gpasswd -a allsel allsel #给用户分组 hive添加用户并授权
SQL Standards Based Authorization的授权方式
1.设置hive-site.xml配置文件
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
</property>
<property>
<name>hive.security.authorization.task.factory</name>
<value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
</property>
<property>
<name>hive.users.in.admin.role</name>
<value>hive</value>
<description>定义超级管理员 启动的时候会自动创建Comma separated list of users who are in admin role for bootstrapping.
More users can be added in ADMIN role later.</description>
</property> 2.创建hive角色
登录hive执行一下命令
CREATE ROLE allsel; 可能会有以下报错,报错原因为创建hive的角色需要用admin权限的账号,如步骤1中设置的hive.users.in.admin.role=hive,所以需要切换linux hive账户来执行命令
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : root is not allowed to add roles. User has to belong to ADMIN role and have it as current role, for this action. 正确的执行动作
[root@emr-header-1 ~]# su - hive
[hive@emr-header-1 ~]$ hive
Logging initialized using configuration in file:/etc/ecm/hive-conf-2.3.3-1.0.0/hive-log4j2.properties Async: true
Hive-on-MR is deprecated in Hive 2 and may not be available in the future versions. Consider using a different execution engine (i.e. spark, tez) or using Hive 1.X releases.
hive> show current roles;
OK
public
Time taken: 0.956 seconds, Fetched: 1 row(s)
hive> set role admin;
OK
Time taken: 0.013 seconds
hive> show current roles;
OK
admin
Time taken: 0.007 seconds, Fetched: 1 row(s)
hive> CREATE ROLE allsel;
OK 创建好allsel账户后,对账户进行授权,操作如下
grant role allsel to user allsel; --将数据库hive 角色allsel赋予linux用户allsel
grant select on test to user allsel; --授予用户select权限,这样用户下的角色拥有同样权限
--权限收回
revoke all from user allsel;
--权限查看
show roles; --查看已经有的角色
show grant role allsel; --查看角色已有权限)
show grant role allsel on database test; --查看角色在test数据库的已有权限 设置hdfs权限
# 切换hadoop用户设置
# 设置用户hdfs权限
hadoop fs -setfacl -m user:allsel:rwx /user/hive/warehouse
# 设置用户组hdfs权限
hadoop fs -setfacl -m group:allsel:rwx /user/hive/warehouse HDFS权限控制
1.设置hive-site.xml配置文件
<property>
<name>hive.metastore.pre.event.listeners</name>
<value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>
</property>
<property>
<name>hive.security.metastore.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
</property>
<property>
<name>hive.security.metastore.authenticator.manager</name>
<value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
</property> EMR的Kerberos安全集群已经设置了Hive的warehouse的HDFS相关权限;
hadoop fs -chmod 1771 /user/hive/warehouse
也可以设置成,1表示stick bit(不能删除别人创建的文件/文件夹)
hadoop fs -chmod 1777 /user/hive/warehouse sudo su has
#授予test对warehouse文件夹rwx权限
hadoop fs -setfacl -m user:test:rwx /user/hive/warehouse
#授予hivegrp对warehouse文件夹rwx权限
hadoo fs -setfacl -m group:hivegrp:rwx /user/hive/warehouse 问题记录
hive> grant create on database ods to role allsel;
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unsupported privilege type CREATE ![Linux 7 中配置Apache服务,及禁止ip访问,删除apache广告页面。[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)