Hive permissions configuration under Cloudera Manager

Last Update:2018-08-02 Source: Internet

Author: User

Tags log log

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Hive Permissions configuration under Cloudera ManagerTags: Big data Hive permissions 2016-09-05 11:11 138 people read reviews (0) Favorite Report Category: Lot size: Hive/spark/hbas (58)

Directory (?) [+]

Company operations, BI, and different departments of finance different personnel need hive data query service, so need to assign different permissions to the relevant people

Permissions are configured to cover two main items:

-Authentication (authentication): Verifies whether the identity used by the user is right
-authorization (authorization): Verifies that the user's identity operation has permissions

The Cloudera Integrated hive authentication supports commonly used LDAP and Kerberos, and is authorized to use his own sentry,sentry, which is still in the incubation stage. In order to promote his own products, blocked the authorization management of Hive

For my needs, the user unified in the Hue interface operation Hive, the allocation of different table permissions to different users, the grant of permissions only need an administrator account; authorization to use hive native configuration Authentication configuration

Hive default all users can make permission changes, configured to only administrators (such as admin) to modify permissions
Use hooks for identity interception, if the user is not admin and Operation Rights Management operation, reject, the code example is as follows:

<code class= "Language-java hljs has-numbering" ><span class= "Hljs-keyword" >import</span>
Org.apache.commons.logging.Log;
<span class= "Hljs-keyword" >import</span> org.apache.commons.logging.LogFactory;
<span class= "Hljs-keyword" >import</span> Org.apache.hadoop.hive.ql.parse.ASTNode; <span class= "Hljs-keyword" >import</span>
Org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook; <span class= "Hljs-keyword" >import</span>
Org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext;
<span class= "Hljs-keyword" >import</span> org.apache.hadoop.hive.ql.parse.SemanticException;

<span class= "Hljs-keyword" >import</span> org.apache.hadoop.hive.ql.session.SessionState; <span class= "Hljs-keyword" >public</span> <span class= "Hljs-class" ><span class= "Hljs-keyword" >class</span> <span class= "Hljs-title" >HiveAdmin</span> <span class= "Hljs-keyword" > extends</span> <span class= "Hljs-title" >AbstractSemanticAnalyzerHook</span> {</span> <span class= " Hljs-keyword ">private</span> <span class=" Hljs-keyword ">static</span> String admin = <span
    class= "hljs-string" > "admin" </span>; <span class= "Hljs-keyword" >private</span> <span class= "Hljs-keyword" >static</span> <

    Span class= "Hljs-keyword" >final</span> log log = Logfactory.getlog (Hiveadmin.class); <span class= "Hljs-annotation" > @Override </span> <span class= "Hljs-keyword" >public</span>
                              Astnode <span class= "Hljs-title" >preAnalyze</span> (Hivesemanticanalyzerhookcontext context, Astnode ast) <span class= "Hljs-keyword" >throws</span> semanticexception {String userName
        = <span class= "Hljs-keyword" >null</span>;

        String authenticator=<span class= "hljs-string" > "null" </span>; <sPan class= "Hljs-keyword" >switch</span> (Ast.gettoken (). GetType ()) {<span class= "Hljs-keyword" > case</span> <span class= "Hljs-number" &GT;692&LT;/SPAN&GT;: <span class= "Hljs-comment" >//grant</ span> <span class= "Hljs-keyword" >case</span> <span class= "Hljs-number" >646</span>:& Lt;span class= "hljs-comment" >//CREATE ROLE amengzi;</span> <span class= "Hljs-keyword" >case< /SPAN> <span class= "Hljs-number" >675</span>:<span class= "hljs-comment" >//DROP ROLE amengzi<  /SPAN> <span class= "Hljs-keyword" >case</span> <span class= "Hljs-number" &GT;694&LT;/SPAN&GT;: <span class= "hljs-comment" >//grant ROLE amengzi to user amengzi;</span> <span class= "Hljs-keyw Ord ">case</span> <span class=" Hljs-number ">793</span>:<span class=" Hljs-comment ">// REVOKE ROLE Amengzi from user Amengzi;</span> <span class= "hljs-comment" >//case 647://create table test11 (ID string) </span> <span class= "Hljs -comment ">//case 676://drop table test;</span> <span class=" hljs-comment ">//case 78 3://select * from test;</span> <span class= "hljs-comment" >//case 817://show grant</span> &lt Span class= "hljs-comment" >//case 671://drop database;</span> <span class= "hljs-k
                            Eyword ">if</span> (Sessionstate.get ()! = <span class=" Hljs-keyword ">null</span>
                    && sessionstate.get (). Getauthenticator ()! = <span class= "Hljs-keyword" >null</span>) {
                    Authenticator = Sessionstate.get (). Getauthenticator (). toString ();
                UserName = Sessionstate.get (). Getauthenticator (). GetUserName (); } <span class= "Hljs-keyword" >if</span> (!admin.equalsignorecASE (UserName)) {System.out.println (<span class= "hljs-string" > "===================can" t use Admi
                    N options, except "</span>); <span class= "Hljs-keyword" >throw</span> <span class= "Hljs-keyword" >new</span> Semanticexception (userName + <span class= "hljs-string" > "Can ' t use ADMIN options, except "</span> + ADMIN + <span class=" hljs-string ">". "
                </span>);
            } <span class= "Hljs-keyword" >break</span>; <span class= "Hljs-keyword" &GT;DEFAULT&LT;/SPAN&GT;: <span class= "Hljs-keyword" >break</span>
        ;
        } <span class= "Hljs-keyword" >int</span> Toketype=ast.gettoken (). GetType (); Log.error (<span class= "hljs-string" > "Toketype:" </span>+toketype+<span class= "hljs-string" > "= = = ====user "</span> + sessionstate.get (). GetAuthenticator (). GetUserName () +<span class= "hljs-string" > "Authenticator" </span>+sessionstate.get ().
        Getauthenticator (). toString ()); System.out.println (<span class= "hljs-string" > "Toketype:" </span>+toketype+<span class= "hljs-string ">" ===================user: "</span> + sessionstate.get (). Getauthenticator (). GetUserName () +<span class
        = "Hljs-string" > "Authenticator" </span>+sessionstate.get (). Getauthenticator (). toString ());
<span class= "Hljs-keyword" >return</span> ast; <span class= "Hljs-comment" >//return Super.preanalyze (context, AST);</span>} <span class= "Hljs -comment ">//@Override </span> <span class=" hljs-comment ">//public void Postanalyze (hivesemanticanaly Zerhookcontext context,</span> <span class= "hljs-comment" >//list<task<?      Extends serializable>> roottasks) </span> <span class= "Hljs-comment" >//      Throws Semanticexception {</span> <span class= "hljs-comment" >//console.printinfo ("!! Simplesemanticpreanalyzerhook postanalyze called! "); </span> <span class= "hljs-comment" >//super.postanalyze (context, roottasks);</span> <span clas s= "Hljs-comment" >//}</span>}</code><ul style= "" class= "pre-numbering" ><li>1</li ><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li ><li>7</li><li>8</li><li>9</li><li>10</li><li>11</ Li><li>12</li><li>13</li><li>14</li><li>15</li><li>16 </li><li>17</li><li>18</li><li>19</li><li>20</li><li >21</li><li>22</li><li>23</li><li>24</li><li>25</li> <li>26</li><li>27</li><lI>28</li><li>29</li><li>30</li><li>31</li><li>32</li> <li>33</li><li>34</li><li>35</li><li>36</li><li>37</ Li><li>38</li><li>39</li><li>40</li><li>41</li><li>42 </li><li>43</li><li>44</li><li>45</li><li>46</li><li >47</li><li>48</li><li>49</li><li>50</li><li>51</li> <li>52</li><li>53</li><li>54</li><li>55</li><li>56</ Li><li>57</li><li>58</li><li>59</li><li>60</li></ul> <ul style= "" class= "pre-numbering" ><li>1</li><li>2</li><li>3</li>< li>4</li><li>5</li><li>6</li><li>7</li><li>8</li>< Li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14 </li><li>15</li><li>16</li><li>17</li><li>18</li><li >19</li><li>20</li><li>21</li><li>22</li><li>23</li> <li>24</li><li>25</li><li>26</li><li>27</li><li>28</ Li><li>29</li><li>30</li><li>31</li><li>32</li><li>33 </li><li>34</li><li>35</li><li>36</li><li>37</li><li >38</li><li>39</li><li>40</li><li>41</li><li>42</li> <li>43</li><li>44</li><li>45</li><li>46</li><li>47</ li><li>48</li><li>49</li><li>50</li><li>51</li><li>52 </li><li&Gt;53</li><li>54</li><li>55</li><li>56</li><li>57</li> <li>58</li><li>59</li><li>60</li></ul>

When using client hive, the statements that are output to the console are displayed for easy debugging
When operating on hue, the output of logger will output the authorization configuration in the Hiveserver2 log

Cloudera replaces Hive's Org.apache.hado with Org.apache.Hadoop.hive.ql.parse.authorization.RestrictedHiveAuthorizationTaskFactoryImpl by default Op.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl do permission masking, you need to use the native hive class through the configuration file

From the CM interface, insert the following configuration code snippet (safety valve) and the HiveServer2 Advanced Configuration snippet (safety valve) of the Hive client in the Hive-site.xml. Hive-site.xml

<code class= "Hljs xml has-numbering" ><span class= "Hljs-tag" ><<span class= "Hljs-title" >property </span>></span> <span class= "Hljs-tag" ><<span class= "Hljs-title" >name</span> ></span>hive.security.authorization.enabled<span class= "Hljs-tag" ></<span class= "Hljs-title ">name</span>></span> <span class=" Hljs-tag "><<span class=" Hljs-title ">value< /span>></span>true<span class= "Hljs-tag" ></<span class= "Hljs-title" >value</span >></span> <span class= "Hljs-tag" ><<span class= "Hljs-title" >description</span> ></span>enable or disable the hive client Authorization<span class= "Hljs-tag" ></<span class= " Hljs-title ">description</span>></span> <span class=" Hljs-tag "></<span class=" Hljs-title ">property</span>></span> <span class=" Hljs-tag "><<span class=" Hljs-title ">property</span>></span> <span class=" Hljs-tag "><<span class=" Hljs-title " >name</span>></span>hive.security.authorization.createtable.owner.grants<span class= " Hljs-tag "></<span class=" Hljs-title ">name</span>></span> <span class=" Hljs-tag "> <<span class= "Hljs-title" >value</span>></span>all<span class= "Hljs-tag" ></< Span class= "Hljs-title" >value</span>></span> <span class= "Hljs-tag" ><<span class= " Hljs-title ">description</span>></span>the privileges automatically granted to the owner whenever a Table gets created. An example-like "Select,drop" would grant select and drop privilege to the owner of the Table<span class= "Hljs-tag" &GT;&L T;/<span class= "Hljs-title" >description</span>></span> <span class= "Hljs-tag" ></ <span class= "Hljs-title" >property</span>></span> <span class= "Hljs-tag" ><<span class= "Hljs-title" >property</span>></span> <span class= " Hljs-tag "><<span class=" Hljs-title ">name</span>></span> Hive.security.authorization.task.factory<span class= "Hljs-tag" ></<span class= "Hljs-title" >name </span>></span> <span class= "Hljs-tag" ><<span class= "Hljs-title" >value</span> ></span>org.apache.hadoop.hive.ql.parse.authorization.hiveauthorizationtaskfactoryimpl<span class= " Hljs-tag "></<span class=" Hljs-title ">value</span>></span> <span class=" Hljs-tag " ></<span class= "Hljs-title" >property</span>></span> <span class= "Hljs-tag" >< <span class= "Hljs-title" >property</span>></span> <span class= "Hljs-tag" ><<span class= "Hljs-title" >name</span>></span>hive.semantic.analyzer.hook<span class= "Hljs-tag" ></<span class= "Hljs-tItle ">name</span>></span> <span class=" Hljs-tag "><<span class=" Hljs-title ">value </span>></span>hiveadmin<span class= "Hljs-tag" ></<span class= "Hljs-title" >value </span>></span> <span class= "Hljs-tag" ></<span class= "Hljs-title" >property</span >></span></code><ul style= "" class= "pre-numbering" ><li>1</li><li>2< /li><li>3</li><li>4</li><li>5</li><li>6</li><li>7< /li><li>8</li><li>9</li><li>10</li><li>11</li><li>12 </li><li>13</li><li>14</li><li>15</li><li>16</li><li >17</li><li>18</li><li>19</li><li>20</li><li>21</li> </ul><ul style= "" class= "pre-numbering" ><li>1</li><li>2</li><li>3</ Li&gT;<li>4</li><li>5</li><li>6</li><li>7</li><li>8</li ><li>9</li><li>10</li><li>11</li><li>12</li><li>13 </li><li>14</li><li>15</li><li>16</li><li>17</li><li >18</li><li>19</li><li>20</li><li>21</li></ul>

Note: Subsequent HDFs permissions need to be modified accordingly
Create the required user account in the Namenode activity node
If you are using Hue,linux account and Hue account, you can sync hue Useradmin_sync_with_unix
When hive permissions are enabled and the Hue and hive clients do not have permission to create a database, I need the client to be able to create data cool, so "Hive-site.xml hive client Advanced Configuration Code snippet (safety valve)" is not Configured, So hiveadmin jar package just put in Hiveserver2 host/opt/cloudera/parcels/cdh-5.4.4-1.cdh5.4.4.p0.4/lib/hive/lib/under the CAN, If the Hive-site client also has permissions configured, the jar needs to be placed under hive Lib
If you want to add permissions to the backend, and you want to create a database, the scenario can be configured as a single machine without permission configuration for database creation
Hue and Hive have a pit that causes the same authorization duplication, so the authorization action needs to be done through the hive client

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More