hue beeswax权限管理

http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH5/latest/CDH5-Security-Guide/cdh5sg_sentry.html
条件：
Kerberos安全认证（使用cm配置安全认证后，hive自动也添加了认证，所以hive认证配置http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH5/latest/CDH5-Security-Guide/cdh5sg_hive_security.html可以省略）
该条件是cloudera官方文档中说明的，据了解，可以不配置kerberos安全认证，同样可以使用sentry，但试过，求试过的同学个回复
步骤：

sudo -u hdfs hdfs dfs -chmod -R 770 /user/hive/warehouse
sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
cm的hive配置中找到 hive.sentry.provider设置成org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider
（如此hive将识别policy file的user group配置）
sentry-provider.ini配置。例如：
[databases]
# Defines the location of the per DB policy file for the customers DB/schema
customers = hdfs://namenode11.yeahmobi.com:8020/etc/sentry/customers.ini
-------------某个数据库权限配置
[groups]
# Assigns each Hadoop group to its set of roles
manager = analyst_role, junior_analyst_role
analyst = analyst_role
jranalyst = junior_analyst_role
customers_admin = customers_admin_role
admin = admin_role
[roles]
# The uris below define a define a landing skid which
# the user can use to import or export data from the system.
# Since the server runs as the user "hive" files in that directory
# must either have the group hive and read/write set or
# be world read/write.
analyst_role = server=server1->db=analyst1, \
    server=server1->db=jranalyst1->table=*->action=select,\
    server=server1->db=default->table=*->action=select,\
    server=server1->db=test->table=*->action=select
junior_analyst_role = server=server1->db=jranalyst1
# Implies everything on server1 -> customers. Privileges for
# customers can be defined in the global policy file even though
# customers has its only policy file. Note that the Privileges from
# both the global policy file and the per-DB policy file
# are merged. There is no overriding.
customers_admin_role = server=server1->db=customers
# Implies everything on server1.
admin_role = server=server1
[users]
-----------------------------user group在此生效
hive = manager,customers_admin
hue = analyst
rube = analyst
qiulp= analyst
上传此文件至hdfs的某个目录项，此目录授权给hive用户hive组。
hive启用sentry
cm中找到hive hive.server2.session.hook配置为：org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook
配置hive.sentry.conf.url


使用hive jdbc时，出现如下异常：
Exception in thread "main" java.sql.SQLException: Error while compiling statement: FAILED: SemanticException No valid privileges
at org.apache.hive.jdbc.Utils.verifySuccess(Utils.java:167)
at org.apache.hive.jdbc.Utils.verifySuccessWithInfo(Utils.java:155)
at org.apache.hive.jdbc.HiveStatement.execute(HiveStatement.java:210)
是权限赋值的有问题。

评论

1 楼 tpxcer 2017-01-18  

不开启时可以的，而且开启以后各种坑。。。。