CDH 之 Kerberos 安全认证和 Sentry 权限控制管理(一)

news2024/11/9 5:13:29

一、Kerberos 和 Sentry 概述

1.1 什么是 Kerberos

        Kerberos是一种计算机网络授权协议,用来在非安全网络中,对个人通信以安全的手段进行身份认证。这个词又指麻省理工学院为这个协议开发的一套计算机软件。软件设计上采用客户端/服务器结构,并且能够进行相互认证,即客户端和服务器端均可对对方进行身份认证。可以用于防止窃听、防止重放攻击、保护数据完整性等场合,是一种应用对称密钥体制进行密钥管理的系统。

1.2 什么是 Sentry

        Apache Sentry是Cloudera公司发布的一个Hadoop开源组件,2016年3月成为Apache顶级项目。Sentry是一个基于角色的粒度授权模块,提供了对Hadoop集群上经过身份验证的用户提供了控制和强制访问数据或数据特权的能力。它可以与Hive、Impala、Solr、HDFS和HBase集成。Sentry旨在成为可插拔授权引擎的Hadoop组件。允许定义授权规则以验证用户或应用程序对Hadoop资源的访问请求。

        kerberos主要负责平台用户的用户认证,sentry则负责数据的权限管理。

二、未进行 Kerberos 安全控制下进行 Sentry 权限控制管理

2.1 添加 Sentry 服务

此博文以 Sentry Hive 为例:

注:图5的 sentry 数据库可参照博文新增数据库或直接使用如下创建库代码:

CDH大数据平台入门篇之搭建与部署_cdh大数据平台搭建_啊 这的博客-CSDN博客

#创建sentry数据库
mysql> CREATE DATABASE sentry DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
Query OK, 1 row affected (0.00 sec)

 

 2.2 在 hive 配置中启用 sentry 服务

 (1)重启过期配置 

(2)启用数据库中的存储通知(勾选)

 

三、基于 Sentry 服务的权限控制

        注:以下所使用的 hive、test 等用户均为系统用户,hive 为创建 cdh 集群后自行创建的,test 用户通过系统命令 useradd 创建作为测试使用。

3.1 登录 hive 用户查看角色信息

[root@hadoop105 ~]# beeline
beeline> !connec jdbc:hive2://localhost:10000 hive ""
[root@hadoop105 ~]# beeline 
WARNING: Use "yarn jar" to launch YARN applications.
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/log4j-slf4j-impl-2.8.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Beeline version 2.1.1-cdh6.3.2 by Apache Hive
beeline> show roles;
No current connection
beeline> !connec jdbc:hive2://localhost:10000 hive ""
Connecting to jdbc:hive2://localhost:10000
Connected to: Apache Hive (version 2.1.1-cdh6.3.2)
Driver: Hive JDBC (version 2.1.1-cdh6.3.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://localhost:10000> show roles;
Error: Error while compiling statement: FAILED: InvalidConfigurationException hive.server2.authentication can't be none in non-testing mode (state=42000,code=40000)
0: jdbc:hive2://localhost:10000>

(1)无法查询角色信息,因为集群未启用安全认证环境,所以还需要配置如下参数:

 (2)重启完重新测试使用beeline连接HiveServer2,并登录hive用户

#使用 hive 用户登录
[root@hadoop105 ~]# beeline -u 'jdbc:hive2://localhost:10000' -n hive
[root@hadoop105 ~]# beeline -u 'jdbc:hive2://localhost:10000' -n hive
WARNING: Use "yarn jar" to launch YARN applications.
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/log4j-slf4j-impl-2.8.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Connecting to jdbc:hive2://localhost:10000
Connected to: Apache Hive (version 2.1.1-cdh6.3.2)
Driver: Hive JDBC (version 2.1.1-cdh6.3.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 2.1.1-cdh6.3.2 by Apache Hive
0: jdbc:hive2://localhost:10000> show roles;
INFO  : Compiling command(queryId=hive_20230329102644_1ef24095-ce04-4c10-9cc0-2e96f7a0523c): show roles
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:role, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230329102644_1ef24095-ce04-4c10-9cc0-2e96f7a0523c); Time taken: 2.816 seconds
INFO  : Executing command(queryId=hive_20230329102644_1ef24095-ce04-4c10-9cc0-2e96f7a0523c): show roles
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329102644_1ef24095-ce04-4c10-9cc0-2e96f7a0523c); Time taken: 0.145 seconds
INFO  : OK
+-------+
| role  |
+-------+
+-------+
No rows selected (3.383 seconds)
0: jdbc:hive2://localhost:10000> 

(3)过程中注意到,原本除了 default 库,还有一个 hive_test 的库,现在只能看到默认的 default 库了,而当我关闭 hive 的 sentry 服务后,重启 hive,hive_test 的库也随之出现,说明centry已经起到作用。

#开启了 sentry 服务
0: jdbc:hive2://localhost:10000> show databases;
INFO  : Compiling command(queryId=hive_20230329142913_e7f84bd2-a7dd-49e9-8393-b7b14d6f510f): show databases
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230329142913_e7f84bd2-a7dd-49e9-8393-b7b14d6f510f); Time taken: 0.161 seconds
INFO  : Executing command(queryId=hive_20230329142913_e7f84bd2-a7dd-49e9-8393-b7b14d6f510f): show databases
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329142913_e7f84bd2-a7dd-49e9-8393-b7b14d6f510f); Time taken: 0.015 seconds
INFO  : OK
+----------------+
| database_name  |
+----------------+
| default        |      |
+----------------+
1 rows selected (0.26 seconds)
0: jdbc:hive2://localhost:10000> 

#关闭了sentry服务之后
+----------------+
| database_name  |
+----------------+
| default        |
| hive_test      |
+----------------+
2 rows selected (0.26 seconds)

(4)这里引出一个问题,当我不指定用户使用 hive 命令进入hive_cli 时,当前用户是可以查看到有 hive_test 这个库的,这个默认用户是 hdfs 用户,而使用 beeline 登录 hdfs 用户却看不到,这个是为什么呢,两者有何区别?默认的用户为什么不是 hive 或者 root ?(这个后面再说明)

[root@hadoop105 ~]# hive
WARNING: Use "yarn jar" to launch YARN applications.
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/log4j-slf4j-impl-2.8.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]

Logging initialized using configuration in jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/hive-common-2.1.1-cdh6.3.2.jar!/hive-log4j2.properties Async: false

WARNING: Hive CLI is deprecated and migration to Beeline is recommended.
hive> show databases;
OK
default
hive_test
Time taken: 1.366 seconds, Fetched: 2 row(s)
hive> show roles;
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hdfs is not allowed to list roles. User has to belong to ADMIN role and have it as current role, for this action.
hive> 

3.2 创建一个管理员角色信息

#创建一个 admin 角色
create role admin
#创建一个 admin 角色
0: jdbc:hive2://localhost:10000> create role admin;
INFO  : Compiling command(queryId=hive_20230329103934_e13a4a95-0202-4c4f-8ccf-d724396c7684): create role admin
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230329103934_e13a4a95-0202-4c4f-8ccf-d724396c7684); Time taken: 0.044 seconds
INFO  : Executing command(queryId=hive_20230329103934_e13a4a95-0202-4c4f-8ccf-d724396c7684): create role admin
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329103934_e13a4a95-0202-4c4f-8ccf-d724396c7684); Time taken: 0.012 seconds
INFO  : OK
No rows affected (0.067 seconds)

#查看角色信息
0: jdbc:hive2://localhost:10000> show roles;
INFO  : Compiling command(queryId=hive_20230329103940_7beb78ea-081d-4d5b-a681-a1a0a4068229): show roles
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:role, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230329103940_7beb78ea-081d-4d5b-a681-a1a0a4068229); Time taken: 0.046 seconds
INFO  : Executing command(queryId=hive_20230329103940_7beb78ea-081d-4d5b-a681-a1a0a4068229): show roles
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329103940_7beb78ea-081d-4d5b-a681-a1a0a4068229); Time taken: 0.009 seconds
INFO  : OK
+--------+
|  role  |
+--------+
| admin  |
+--------+
1 row selected (0.077 seconds)
0: jdbc:hive2://localhost:10000> 

3.3 为admin角色赋予超级权限

#将 server1 权限授权给 admin 角色
grant all on server server1 to role admin;
#将 server1 权限授权给 admin 角色
0: jdbc:hive2://localhost:10000> grant all on server server1 to role admin;
INFO  : Compiling command(queryId=hive_20230329104042_b46444f8-bc83-4f2e-8ba4-8acb36588233): grant all on server server1 to role admin
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230329104042_b46444f8-bc83-4f2e-8ba4-8acb36588233); Time taken: 0.056 seconds
INFO  : Executing command(queryId=hive_20230329104042_b46444f8-bc83-4f2e-8ba4-8acb36588233): grant all on server server1 to role admin
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329104042_b46444f8-bc83-4f2e-8ba4-8acb36588233); Time taken: 0.078 seconds
INFO  : OK
No rows affected (0.148 seconds)
0: jdbc:hive2://localhost:10000> 

3.4 把admin角色授权给hive用户

#将 admin 角色授权给 hive 用户
grant role admin to group hive;
#查看数据库信息
show databases;

        可以看到原本没权限看到的 hive_test 数据库此时也可以看到了

#将 admin 角色授权给 hive 用户
0: jdbc:hive2://localhost:10000> grant role admin to group hive;
INFO  : Compiling command(queryId=hive_20230329172329_ff78ccc3-3aec-4299-af36-b7fdfb120194): grant role admin to group hive
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230329172329_ff78ccc3-3aec-4299-af36-b7fdfb120194); Time taken: 0.044 seconds
INFO  : Executing command(queryId=hive_20230329172329_ff78ccc3-3aec-4299-af36-b7fdfb120194): grant role admin to group hive
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329172329_ff78ccc3-3aec-4299-af36-b7fdfb120194); Time taken: 0.127 seconds
INFO  : OK
No rows affected (0.187 seconds)

#查看数据库信息
0: jdbc:hive2://localhost:10000> show databases;
INFO  : Compiling command(queryId=hive_20230329172334_3a8602ce-70e5-41ba-b4db-e1c8345c12ee): show databases
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230329172334_3a8602ce-70e5-41ba-b4db-e1c8345c12ee); Time taken: 0.045 seconds
INFO  : Executing command(queryId=hive_20230329172334_3a8602ce-70e5-41ba-b4db-e1c8345c12ee): show databases
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329172334_3a8602ce-70e5-41ba-b4db-e1c8345c12ee); Time taken: 0.054 seconds
INFO  : OK
+----------------+
| database_name  |
+----------------+
| default        |
| hive_test      |
+----------------+
2 rows selected (0.126 seconds)
0: jdbc:hive2://localhost:10000>

3.5 查看admin角色被授权的权限信息

#查看 admin 角色的授权信息
show grant role admin;
#查看 admin 角色的授权信息
0: jdbc:hive2://localhost:10000> show grant role admin;
INFO  : Compiling command(queryId=hive_20230404102437_456b8af8-0a9a-4d3c-8373-b8cad07b48d1): show grant role admin
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database, type:string, comment:from deserializer), FieldSchema(name:table, type:string, comment:from deserializer), FieldSchema(name:partition, type:string, comment:from deserializer), FieldSchema(name:column, type:string, comment:from deserializer), FieldSchema(name:principal_name, type:string, comment:from deserializer), FieldSchema(name:principal_type, type:string, comment:from deserializer), FieldSchema(name:privilege, type:string, comment:from deserializer), FieldSchema(name:grant_option, type:boolean, comment:from deserializer), FieldSchema(name:grant_time, type:bigint, comment:from deserializer), FieldSchema(name:grantor, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230404102437_456b8af8-0a9a-4d3c-8373-b8cad07b48d1); Time taken: 0.042 seconds
INFO  : Executing command(queryId=hive_20230404102437_456b8af8-0a9a-4d3c-8373-b8cad07b48d1): show grant role admin
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230404102437_456b8af8-0a9a-4d3c-8373-b8cad07b48d1); Time taken: 0.052 seconds
INFO  : OK
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   grant_time   | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| *         |        |            |         | admin           | ROLE            | *          | false         | 1680057642000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
1 row selected (0.13 seconds)

3.6 授权数据库权限给角色

(1)先创建角色并授权给角色

#将 hive_test 库的 select 权限授权给 db_role 角色
grant select on database hive_test to role db_role;
#将 hive_test 库的 insert 权限授权给 db_role 角色
grant insert on database hive_test to role db_role;
#创建一个 db_role 角色
0: jdbc:hive2://localhost:10000> create role db_role;
INFO  : Compiling command(queryId=hive_20230407101005_f70152fd-582b-4cfd-b647-029de27fef68): create role db_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230407101005_f70152fd-582b-4cfd-b647-029de27fef68); Time taken: 0.039 seconds
INFO  : Executing command(queryId=hive_20230407101005_f70152fd-582b-4cfd-b647-029de27fef68): create role db_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230407101005_f70152fd-582b-4cfd-b647-029de27fef68); Time taken: 0.04 seconds
INFO  : OK
No rows affected (0.087 seconds)

#将 hive_test 库的 select 权限授权给 db_role 角色
0: jdbc:hive2://localhost:10000> grant select on database hive_test to role db_role;
INFO  : Compiling command(queryId=hive_20230407101501_508c7e5e-2048-483f-a77d-e977849ceade): grant select on database hive_test to role db_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230407101501_508c7e5e-2048-483f-a77d-e977849ceade); Time taken: 0.038 seconds
INFO  : Executing command(queryId=hive_20230407101501_508c7e5e-2048-483f-a77d-e977849ceade): grant select on database hive_test to role db_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230407101501_508c7e5e-2048-483f-a77d-e977849ceade); Time taken: 0.015 seconds
INFO  : OK
No rows affected (0.062 seconds)

#将 hive_test 库的 insert 权限授权给 db_role 角色
0: jdbc:hive2://localhost:10000> grant insert on database hive_test to role db_role;
INFO  : Compiling command(queryId=hive_20230407101509_e6d7b178-070c-422a-8650-ced7725eddab): grant insert on database hive_test to role db_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230407101509_e6d7b178-070c-422a-8650-ced7725eddab); Time taken: 0.037 seconds
INFO  : Executing command(queryId=hive_20230407101509_e6d7b178-070c-422a-8650-ced7725eddab): grant insert on database hive_test to role db_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230407101509_e6d7b178-070c-422a-8650-ced7725eddab); Time taken: 0.01 seconds
INFO  : OK
No rows affected (0.054 seconds)

#查看 db_role 角色的授权信息
0: jdbc:hive2://localhost:10000> show grant role db_role;
INFO  : Compiling command(queryId=hive_20230407101911_188d900e-bf81-424e-b81c-7d79a8d869e4): show grant role db_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database, type:string, comment:from deserializer), FieldSchema(name:table, type:string, comment:from deserializer), FieldSchema(name:partition, type:string, comment:from deserializer), FieldSchema(name:column, type:string, comment:from deserializer), FieldSchema(name:principal_name, type:string, comment:from deserializer), FieldSchema(name:principal_type, type:string, comment:from deserializer), FieldSchema(name:privilege, type:string, comment:from deserializer), FieldSchema(name:grant_option, type:boolean, comment:from deserializer), FieldSchema(name:grant_time, type:bigint, comment:from deserializer), FieldSchema(name:grantor, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230407101911_188d900e-bf81-424e-b81c-7d79a8d869e4); Time taken: 0.038 seconds
INFO  : Executing command(queryId=hive_20230407101911_188d900e-bf81-424e-b81c-7d79a8d869e4): show grant role db_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230407101911_188d900e-bf81-424e-b81c-7d79a8d869e4); Time taken: 0.009 seconds
INFO  : OK
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
|  database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   grant_time   | grantor  |
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| hive_test  |        |            |         | db_role         | ROLE            | INSERT     | false         | 1680833709000  | --       |
| hive_test  |        |            |         | db_role         | ROLE            | SELECT     | false         | 1680833701000  | --       |
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
2 rows selected (0.07 seconds)

(2)授权用户前先登录 test 用户查看

#登录 test 用户
[root@hadoop105 hive]# beeline -u 'jdbc:hive2://localhost:10000' -n test
#查看当前数据库信息
0: jdbc:hive2://localhost:10000> show databases;
#登录 test 用户
[root@hadoop105 hive]# beeline -u 'jdbc:hive2://localhost:10000' -n test
WARNING: Use "yarn jar" to launch YARN applications.
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/log4j-slf4j-impl-2.8.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Connecting to jdbc:hive2://localhost:10000
Connected to: Apache Hive (version 2.1.1-cdh6.3.2)
Driver: Hive JDBC (version 2.1.1-cdh6.3.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 2.1.1-cdh6.3.2 by Apache Hive

#查看当前数据库信息
0: jdbc:hive2://localhost:10000> show databases;
INFO  : Compiling command(queryId=hive_20230407135223_f014eb1a-0051-4aef-9815-791bcedd26d3): show databases
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230407135223_f014eb1a-0051-4aef-9815-791bcedd26d3); Time taken: 0.225 seconds
INFO  : Executing command(queryId=hive_20230407135223_f014eb1a-0051-4aef-9815-791bcedd26d3): show databases
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230407135223_f014eb1a-0051-4aef-9815-791bcedd26d3); Time taken: 0.055 seconds
INFO  : OK
+----------------+
| database_name  |
+----------------+
| default        |
+----------------+
1 row selected (0.352 seconds)

(3)把角色分配给 test 用户并查看(这里你会发现,无法授权给 user ,只能授权给 group。

因为 Sentry 的特性是利用 User 身份和 Group 相互映射进行权限控管,但是 Sentry 只能操作在 Group,所以使用的 User 方法并不可行

#把 db_role 角色授权给 test 用户组
0: jdbc:hive2://localhost:10000> grant role db_role to group test;
#登录 hive 用户
[root@hadoop105 ~]# beeline -u 'jdbc:hive2://localhost:10000' -n hive
WARNING: Use "yarn jar" to launch YARN applications.
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/log4j-slf4j-impl-2.8.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Connecting to jdbc:hive2://localhost:10000
Connected to: Apache Hive (version 2.1.1-cdh6.3.2)
Driver: Hive JDBC (version 2.1.1-cdh6.3.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 2.1.1-cdh6.3.2 by Apache Hive

#把 db_role 角色授权给 test 用户
0: jdbc:hive2://localhost:10000> grant role db_role to user test;
INFO  : Compiling command(queryId=hive_20230407141044_220c5165-6ca0-496c-ac23-514dccb1872a): grant role db_role to user test
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230407141044_220c5165-6ca0-496c-ac23-514dccb1872a); Time taken: 0.184 seconds
INFO  : Executing command(queryId=hive_20230407141044_220c5165-6ca0-496c-ac23-514dccb1872a): grant role db_role to user test
INFO  : Starting task [Stage-0:DDL] in serial mode
ERROR : FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Sentry does not allow privileges to be granted/revoked to/from: USER
INFO  : Completed executing command(queryId=hive_20230407141044_220c5165-6ca0-496c-ac23-514dccb1872a); Time taken: 0.001 seconds
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Sentry does not allow privileges to be granted/revoked to/from: USER (state=08S01,code=1)

#把 db_role 角色授权给 test 用户组
0: jdbc:hive2://localhost:10000> grant role db_role to group test;
INFO  : Compiling command(queryId=hive_20230407141110_96149c59-28e4-46be-ab37-4b0a2aa20a03): grant role db_role to group test
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230407141110_96149c59-28e4-46be-ab37-4b0a2aa20a03); Time taken: 0.037 seconds
INFO  : Executing command(queryId=hive_20230407141110_96149c59-28e4-46be-ab37-4b0a2aa20a03): grant role db_role to group test
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230407141110_96149c59-28e4-46be-ab37-4b0a2aa20a03); Time taken: 0.04 seconds
INFO  : OK
No rows affected (0.085 seconds)

# 登录 test 用户并查看
0: jdbc:hive2://localhost:10000> show databases;
INFO  : Compiling command(queryId=hive_20230407141443_c9fbfc09-2aab-48f5-9774-9ed6c87948d3): show databases
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230407141443_c9fbfc09-2aab-48f5-9774-9ed6c87948d3); Time taken: 0.038 seconds
INFO  : Executing command(queryId=hive_20230407141443_c9fbfc09-2aab-48f5-9774-9ed6c87948d3): show databases
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230407141443_c9fbfc09-2aab-48f5-9774-9ed6c87948d3); Time taken: 0.036 seconds
INFO  : OK
+----------------+
| database_name  |
+----------------+
| default        |
| hive_test      |
+----------------+
2 rows selected (0.088 seconds)

3.7 把权限细分到表操作上

 (1)只授权 test 用户对 hive_test 库的 testb 表有 insert 权限

# 创建一个 test_role 角色
create role test_role;
#把对 hive_test 库的 testb 表授权给 test_role 角色
grant insert on table hive_test.testb to role test_role;
#把角色授权给 test 用户组
grant role test_role to group test;
# 创建一个 test_role 角色
0: jdbc:hive2://localhost:10000> create role test_role;
INFO  : Compiling command(queryId=hive_20230329172749_985b7987-6f4a-465f-a6b1-324ccd87a1a5): create role test_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230329172749_985b7987-6f4a-465f-a6b1-324ccd87a1a5); Time taken: 0.055 seconds
INFO  : Executing command(queryId=hive_20230329172749_985b7987-6f4a-465f-a6b1-324ccd87a1a5): create role test_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329172749_985b7987-6f4a-465f-a6b1-324ccd87a1a5); Time taken: 0.061 seconds
INFO  : OK
No rows affected (0.128 seconds)

#把对 hive_test 库的 testb 表授权给 test_role 角色
0: jdbc:hive2://localhost:10000> grant insert on table hive_test.testb to role test_role;
INFO  : Compiling command(queryId=hive_20230329172907_3d59d096-bdee-4b8a-bd84-ab012161bdad): grant insert on table hive_test.testb to role test_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230329172907_3d59d096-bdee-4b8a-bd84-ab012161bdad); Time taken: 0.053 seconds
INFO  : Executing command(queryId=hive_20230329172907_3d59d096-bdee-4b8a-bd84-ab012161bdad): grant insert on table hive_test.testb to role test_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329172907_3d59d096-bdee-4b8a-bd84-ab012161bdad); Time taken: 0.071 seconds
INFO  : OK
No rows affected (0.137 seconds)

#把角色授权给 test 用户组
0: jdbc:hive2://localhost:10000> grant role test_role to group test;
INFO  : Compiling command(queryId=hive_20230329172931_cde3d861-a87c-4541-8fdb-cba47f395810): grant role test_role to group test
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230329172931_cde3d861-a87c-4541-8fdb-cba47f395810); Time taken: 0.053 seconds
INFO  : Executing command(queryId=hive_20230329172931_cde3d861-a87c-4541-8fdb-cba47f395810): grant role test_role to group test
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329172931_cde3d861-a87c-4541-8fdb-cba47f395810); Time taken: 0.012 seconds
INFO  : OK
No rows affected (0.075 seconds)

(2)查看test_role角色被授权的权限信息

# 查看 test_role 角色的授权信息
show grant role test_role;
# 查看 test_role 角色的授权信息
0: jdbc:hive2://localhost:10000> show grant role test_role;
INFO  : Compiling command(queryId=hive_20230404102508_879ce71f-dac6-4575-9035-40f355b3c1be): show grant role test_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database, type:string, comment:from deserializer), FieldSchema(name:table, type:string, comment:from deserializer), FieldSchema(name:partition, type:string, comment:from deserializer), FieldSchema(name:column, type:string, comment:from deserializer), FieldSchema(name:principal_name, type:string, comment:from deserializer), FieldSchema(name:principal_type, type:string, comment:from deserializer), FieldSchema(name:privilege, type:string, comment:from deserializer), FieldSchema(name:grant_option, type:boolean, comment:from deserializer), FieldSchema(name:grant_time, type:bigint, comment:from deserializer), FieldSchema(name:grantor, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230404102508_879ce71f-dac6-4575-9035-40f355b3c1be); Time taken: 0.044 seconds
INFO  : Executing command(queryId=hive_20230404102508_879ce71f-dac6-4575-9035-40f355b3c1be): show grant role test_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230404102508_879ce71f-dac6-4575-9035-40f355b3c1be); Time taken: 0.007 seconds
INFO  : OK
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
|  database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   grant_time   | grantor  |
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| hive_test  | testb  |            |         | test_role       | ROLE            | INSERT     | false         | 1680082147000  | --       |
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
1 row selected (0.073 seconds)

(3)登录test用户查看(确实只能看到 testb 表,其他表看不到)

#登录 test 用户
[root@hadoop105 ~]# beeline -u 'jdbc:hive2://localhost:10000' -n test
#查看相关表
show hive_test.testb
#登录 test 用户
[root@hadoop105 ~]# beeline -u 'jdbc:hive2://localhost:10000' -n test
WARNING: Use "yarn jar" to launch YARN applications.
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/log4j-slf4j-impl-2.8.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Connecting to jdbc:hive2://localhost:10000
Connected to: Apache Hive (version 2.1.1-cdh6.3.2)
Driver: Hive JDBC (version 2.1.1-cdh6.3.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 2.1.1-cdh6.3.2 by Apache Hive

#查看数据库信息
0: jdbc:hive2://localhost:10000> show databases;
INFO  : Compiling command(queryId=hive_20230329173530_1edaeb5c-71dd-48d8-b5ed-2e70aba3c442): show databases
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230329173530_1edaeb5c-71dd-48d8-b5ed-2e70aba3c442); Time taken: 0.21 seconds
INFO  : Executing command(queryId=hive_20230329173530_1edaeb5c-71dd-48d8-b5ed-2e70aba3c442): show databases
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329173530_1edaeb5c-71dd-48d8-b5ed-2e70aba3c442); Time taken: 0.042 seconds
INFO  : OK
+----------------+
| database_name  |
+----------------+
| default        |
| hive_test      |
+----------------+
2 rows selected (0.337 seconds)

#进入 hive_test 数据库
0: jdbc:hive2://localhost:10000> use hive_test;
INFO  : Compiling command(queryId=hive_20230329173539_c54bd676-644e-4fb9-a8bf-7962d607e489): use hive_test
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230329173539_c54bd676-644e-4fb9-a8bf-7962d607e489); Time taken: 0.073 seconds
INFO  : Executing command(queryId=hive_20230329173539_c54bd676-644e-4fb9-a8bf-7962d607e489): use hive_test
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329173539_c54bd676-644e-4fb9-a8bf-7962d607e489); Time taken: 0.005 seconds
INFO  : OK
No rows affected (0.089 seconds)
0: jdbc:hive2://localhost:10000> show tables;
INFO  : Compiling command(queryId=hive_20230329173543_12e2eeda-6294-4c98-9f5b-

#查看相关表
5309b2f93003): show tables
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:tab_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230329173543_12e2eeda-6294-4c98-9f5b-5309b2f93003); Time taken: 0.051 seconds
INFO  : Executing command(queryId=hive_20230329173543_12e2eeda-6294-4c98-9f5b-5309b2f93003): show tables
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230329173543_12e2eeda-6294-4c98-9f5b-5309b2f93003); Time taken: 0.048 seconds
INFO  : OK
+-----------+
| tab_name  |
+-----------+
| testb     |
+-----------+
1 row selected (0.122 seconds)

3.8 测试查询、插入权限等相关操作

(1)测试插入一条数据

#查询 testb 表内容
select * from testb;
#插入一条数据
insert into table testb values (10,'hive10','SH','2023-04-01');
#查询 testb 表内容(因为没有给 select 权限,所以会报错)
0: jdbc:hive2://localhost:10000> select * from testb;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
 User test does not have privileges for QUERY
 The required privileges: Server=server1->Db=hive_test->Table=testb->Column=create_time->action=select->grantOption=false; (state=42000,code=40000)

#插入一条数据
0: jdbc:hive2://localhost:10000> insert into table testb values (10,'hive10','SH','2023-04-01');
INFO  : Compiling command(queryId=hive_20230404111842_b8bdadf2-c6b6-43e0-8dbc-35fde8037edd): insert into table testb values (10,'hive10','SH','2023-04-01')
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:_col0, type:int, comment:null), FieldSchema(name:_col1, type:string, comment:null), FieldSchema(name:_col2, type:string, comment:null), FieldSchema(name:_col3, type:string, comment:null)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230404111842_b8bdadf2-c6b6-43e0-8dbc-35fde8037edd); Time taken: 0.216 seconds
INFO  : Executing command(queryId=hive_20230404111842_b8bdadf2-c6b6-43e0-8dbc-35fde8037edd): insert into table testb values (10,'hive10','SH','2023-04-01')
WARN  : 
INFO  : Query ID = hive_20230404111842_b8bdadf2-c6b6-43e0-8dbc-35fde8037edd
INFO  : Total jobs = 3
INFO  : Launching Job 1 out of 3
INFO  : Starting task [Stage-1:MAPRED] in serial mode
INFO  : Number of reduce tasks is set to 0 since there's no reduce operator
INFO  : number of splits:1
INFO  : Submitting tokens for job: job_1680499262933_0006
INFO  : Executing with tokens: []
INFO  : The url to track the job: http://hadoop105:8088/proxy/application_1680499262933_0006/
INFO  : Starting Job = job_1680499262933_0006, Tracking URL = http://hadoop105:8088/proxy/application_1680499262933_0006/
INFO  : Kill Command = /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/lib/hadoop/bin/hadoop job  -kill job_1680499262933_0006

问题:上面结果显示,没有 select 权限,插入执行未报错,但是执行直接卡住暂停了,当使用hive用户去查看该表也无法查看

恢复:将卡住shell页面 ctrl+c 退出执行,查询也恢复正常(最后也发现,其实是因为开了防火墙的原因,即便开放了所有hive使用的服务端口,也是有这个情况,为了不影响后续测试,暂时关闭了防火墙)

(2)重新插入数据

0: jdbc:hive2://localhost:10000> insert into table testb values (10,'hive10','SH','2023-04-01');
INFO  : Compiling command(queryId=hive_20230406102417_4620de68-f8ba-4d54-b38b-da2e09a21cd1): insert into table testb values (10,'hive10','SH','2023-04-01')
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:_col0, type:int, comment:null), FieldSchema(name:_col1, type:string, comment:null), FieldSchema(name:_col2, type:string, comment:null), FieldSchema(name:_col3, type:string, comment:null)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230406102417_4620de68-f8ba-4d54-b38b-da2e09a21cd1); Time taken: 0.125 seconds
INFO  : Executing command(queryId=hive_20230406102417_4620de68-f8ba-4d54-b38b-da2e09a21cd1): insert into table testb values (10,'hive10','SH','2023-04-01')
WARN  : 
INFO  : Query ID = hive_20230406102417_4620de68-f8ba-4d54-b38b-da2e09a21cd1
INFO  : Total jobs = 3
INFO  : Launching Job 1 out of 3
INFO  : Starting task [Stage-1:MAPRED] in serial mode
INFO  : Number of reduce tasks is set to 0 since there's no reduce operator
INFO  : number of splits:1
INFO  : Submitting tokens for job: job_1680499262933_0033
INFO  : Executing with tokens: []
INFO  : The url to track the job: http://hadoop105:8088/proxy/application_1680499262933_0033/
INFO  : Starting Job = job_1680499262933_0033, Tracking URL = http://hadoop105:8088/proxy/application_1680499262933_0033/
INFO  : Kill Command = /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/lib/hadoop/bin/hadoop job  -kill job_1680499262933_0033
INFO  : Hadoop job information for Stage-1: number of mappers: 1; number of reducers: 0
INFO  : 2023-04-06 10:24:22,904 Stage-1 map = 0%,  reduce = 0%
INFO  : 2023-04-06 10:24:28,023 Stage-1 map = 100%,  reduce = 0%, Cumulative CPU 2.91 sec
INFO  : MapReduce Total cumulative CPU time: 2 seconds 910 msec
INFO  : Ended Job = job_1680499262933_0033
INFO  : Starting task [Stage-7:CONDITIONAL] in serial mode
INFO  : Stage-4 is selected by condition resolver.
INFO  : Stage-3 is filtered out by condition resolver.
INFO  : Stage-5 is filtered out by condition resolver.
INFO  : Starting task [Stage-4:MOVE] in serial mode
INFO  : Moving data to directory hdfs://hadoop105:8020/user/hive/warehouse/hive_test.db/testb/.hive-staging_hive_2023-04-06_10-24-17_212_2711266780108748282-7/-ext-10000 from hdfs://hadoop105:8020/user/hive/warehouse/hive_test.db/testb/.hive-staging_hive_2023-04-06_10-24-17_212_2711266780108748282-7/-ext-10002
INFO  : Starting task [Stage-0:MOVE] in serial mode
INFO  : Loading data to table hive_test.testb from hdfs://hadoop105:8020/user/hive/warehouse/hive_test.db/testb/.hive-staging_hive_2023-04-06_10-24-17_212_2711266780108748282-7/-ext-10000
INFO  : Starting task [Stage-2:STATS] in serial mode
INFO  : MapReduce Jobs Launched: 
INFO  : Stage-Stage-1: Map: 1   Cumulative CPU: 2.91 sec   HDFS Read: 4747 HDFS Write: 95 HDFS EC Read: 0 SUCCESS
INFO  : Total MapReduce CPU Time Spent: 2 seconds 910 msec
INFO  : Completed executing command(queryId=hive_20230406102417_4620de68-f8ba-4d54-b38b-da2e09a21cd1); Time taken: 12.272 seconds
INFO  : OK
1 row affected (12.414 seconds)

(3)为了便于查看我们授权select权限

#为 test_role 角色添加 select 权限
grant select on table hive_test.testb to role test_role;
#为 test_role 角色添加 select 权限
0: jdbc:hive2://localhost:10000> grant select on table hive_test.testb to role test_role;
INFO  : Compiling command(queryId=hive_20230404135022_a271e8c3-a0dd-404a-afec-bc4e9063cc1f): grant select on table hive_test.testb to role test_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20230404135022_a271e8c3-a0dd-404a-afec-bc4e9063cc1f); Time taken: 0.041 seconds
INFO  : Executing command(queryId=hive_20230404135022_a271e8c3-a0dd-404a-afec-bc4e9063cc1f): grant select on table hive_test.testb to role test_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230404135022_a271e8c3-a0dd-404a-afec-bc4e9063cc1f); Time taken: 0.083 seconds
INFO  : OK
No rows affected (0.133 seconds)

#查看 test_role 授权信息
0: jdbc:hive2://localhost:10000> show grant role test_role;
INFO  : Compiling command(queryId=hive_20230404135043_ae58bc77-0b64-424f-9b52-58cf15b299e1): show grant role test_role
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database, type:string, comment:from deserializer), FieldSchema(name:table, type:string, comment:from deserializer), FieldSchema(name:partition, type:string, comment:from deserializer), FieldSchema(name:column, type:string, comment:from deserializer), FieldSchema(name:principal_name, type:string, comment:from deserializer), FieldSchema(name:principal_type, type:string, comment:from deserializer), FieldSchema(name:privilege, type:string, comment:from deserializer), FieldSchema(name:grant_option, type:boolean, comment:from deserializer), FieldSchema(name:grant_time, type:bigint, comment:from deserializer), FieldSchema(name:grantor, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230404135043_ae58bc77-0b64-424f-9b52-58cf15b299e1); Time taken: 0.042 seconds
INFO  : Executing command(queryId=hive_20230404135043_ae58bc77-0b64-424f-9b52-58cf15b299e1): show grant role test_role
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20230404135043_ae58bc77-0b64-424f-9b52-58cf15b299e1); Time taken: 0.009 seconds
INFO  : OK
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
|  database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   grant_time   | grantor  |
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| hive_test  | testb  |            |         | test_role       | ROLE            | INSERT     | false         | 1680082147000  | --       |
| hive_test  | testb  |            |         | test_role       | ROLE            | SELECT     | false         | 1680587422000  | --       |
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+

(4)查看 testb 表数据

0: jdbc:hive2://localhost:10000> select * from testb;
INFO  : Compiling command(queryId=hive_20230406102530_019e45ee-564d-48f1-b197-3672233496ee): select * from testb
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:testb.id, type:int, comment:null), FieldSchema(name:testb.name, type:string, comment:null), FieldSchema(name:testb.area, type:string, comment:null), FieldSchema(name:testb.create_time, type:string, comment:null)], properties:null)
INFO  : Completed compiling command(queryId=hive_20230406102530_019e45ee-564d-48f1-b197-3672233496ee); Time taken: 0.232 seconds
INFO  : Executing command(queryId=hive_20230406102530_019e45ee-564d-48f1-b197-3672233496ee): select * from testb
INFO  : Completed executing command(queryId=hive_20230406102530_019e45ee-564d-48f1-b197-3672233496ee); Time taken: 0.0 seconds
INFO  : OK
+-----------+-------------+-------------+--------------------+
| testb.id  | testb.name  | testb.area  | testb.create_time  |
+-----------+-------------+-------------+--------------------+
| 1         | hive1       | JH          | 2023-04-01         |
| 2         | hive2       | CB          | 2023-04-01         |
| 3         | hive3       | NG          | 2023-04-01         |
| 4         | hive4       | DA          | 2023-04-01         |
| 5         | hive5       | RH          | 2023-04-01         |
| 6         | hive6       | CZ          | 2023-04-01         |
| 7         | hive7       | TS          | 2023-04-01         |
| 8         | hive8       | KJ          | 2023-04-01         |
| 9         | hive9       | EF          | 2023-04-01         |
| 10        | hive10      | SH          | 2023-04-01         |
+-----------+-------------+-------------+--------------------+
10 rows selected (0.298 seconds)

        到此关于在未启用安全认证环境下,对 hive 的一个权限控制测试就结束了,下篇是关于启用 Kerberos 安全认证环境的一个过程和配置。

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/420701.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

java微服务商城高并发秒杀项目--011.授权规则和系统规则

授权规则在shop-order-server中新建RequestOriginParserDefinition.java,定义请求来源如何获取Component public class RequestOriginParserDefinition implements RequestOriginParser {Overridepublic String parseOrigin(HttpServletRequest request) {/*** 定义从请求的什么…

文本分类论文阅读

1.ChineseBERT: Chinese Pretraining Enhanced by Glyph and Pinyin Information(ACL2021) 字形嵌入根据汉字的不同字体获得,能够从视觉特征中捕捉汉字语义,拼音嵌入表征汉字的发音,解决了汉语中非常普遍的异义异义现…

四、vue基础-指令(一)、vscode代码片段

一、vscode代码片段 我们在前面联系Vue的过程中,有些代码片段是需要经常写的,我们再VSCode中我们可以生成一个代码片段,方便我们快速生成。VSCode中的代码片段有固定的格式,所以我们一般会借助于一个在线工具来完成。 具体步骤如…

01_什么是Uboot

目录 U-Boot简介 获取Uboot U-Boot初次编译 U-Boot烧写与启动 U-Boot简介 Linux系统要启动就必须需要一个bootloader程序(裸机程序),也就说芯片上电以后先运行一段bootloader程序。这段bootloader程序会先初始化DDR等外设,然后将Linux镜像从flash(NAND,NOR FLASH,SD,EMMC等…

【防止恶意用户注册】-- 手机在网状态 API 的防欺诈应用解析

简介 手机在网状态 API 支持传入手机号码,查询手机号在网状态,返回在网、在网不可用、不在网(销号/未启用/停机)等多种状态,查询手机号在网状态之后,可以根据具体的业务需求来进行不同的处理。 本文主要介…

EA的使用---文档的生成

EA中文档的自动生成 1.找到如下界面 2.选择第一个 3.设置存储的位置 4.点击Generate 5.查看生成的文档

ViT Vision Transformer进行猫狗分类

文章目录依赖准备数据集合残差结构PatchEmbed模块Attention模块MLPBlockVisionTransformer结构模型定义定义一个模型训练VISION TRANSFORMER简称ViT,是2020年提出的一种先进的视觉注意力模型,利用transformer及自注意力机制,通过一个标准图像…

【C++STL精讲】string的模拟实现

文章目录💐专栏导读💐文章导读🌷定义string类🌷构造函数🌷拷贝构造函数🌷赋值重载🌷析构函数🌷[]操作符重载🌷比较运算符重载🌷c_str、size、capacity&#x…

模板学堂|DataEase图表样式解析

DataEase开源数据可视化分析平台于2022年6月正式发布模板市场(https://dataease.io/templates/)。模板市场旨在为DataEase用户提供专业、美观、拿来即用的仪表板模板,方便用户根据自身的业务需求和使用场景选择对应的仪表板模板,并…

「VS」Visual Studio 常用小技巧

目录指定代码不编译设置选中项目为启动项代码区显示行号新建垂直文档组生成后将dll复制到指定目录指定代码不编译 说明:在项目开发时,有时候已经将代码加入到项目中,但有不想要编译时可以一下操作。 文件处右键→属性→常规→从生成中排除→选…

快速解决CentOS中yum下载慢的问题(更换成阿里云)

目录1、备份自带的YUM源2、下载新的yum源3、清除旧的 yum 缓存4、更新yum缓存4、查看更换的阿里云镜像的仓库是否生效。为了下载速度快,每次都要做好镜像的更改,既然次数多,懒得每次还来查资料,就自己写一篇博客加强自己的记忆。 …

Docker环境安装

Docker环境安装Docker简介Docker工作原理Docker的应用场景Docker 的优点CentOS Docker 安装与配置Docker 安装Docker 配置Docker容器概念Docker容器操作拉取镜像删除镜像容器相关命令创建并启动容器停止和恢复容器删除容器Docker简介 Docker 是一个开源的应用容器引擎&#xf…

4年外包上岸,我只能说这类公司能不去就不去

我大学学的是计算机专业,毕业的时候,对于找工作比较迷茫,也不知道当时怎么想的,一头就扎进了一家外包公司,一干就是4年。现在终于跳槽到了互联网公司了,我想说的是,但凡有点机会,千万…

ChatGPT背后的AI背景、技术门道和商业应用(万字长文,建议收藏)

作者:京东科技 李俊兵 各位看官好,我是球神(江湖代号)。 自去年11月30日ChatGPT问世以来,迅速爆火出圈。 起初我依然以为这是和当年Transformer, Bert一样的“热点”模型,但是当一篇篇文章/报告不断推送…

计算机网络面试八股文攻略(二)—— TCP 与 UDP

一、基础概念 TCP 与 UDP 是活跃于 运输层 的数据传输协议 TCP:传输控制协议 (Transmission Control Protocol)–提供面向连接的,可靠的数据传输服务。具体来说就是一种要建立双端连接才能发送数据,能确保传输可靠的…

Hive DDL和DML

目录 一 DDL 1.1 数据库 1.1.1 创建数据库 1.1.2 查询数据库 1.1.3 修改数据库 1.1.4 删除数据库 1.1.5 切换当前数据库 1.2 表 1.2.1 创建表 1.2.2 查看表 1.2.3 修改表 3.2.4 删除表 3.2.5 清空表 二 DML 2.1 Load 2.2 Insert 2.2.1 将查询结果插入表中 2…

C++程序设计函数部分(定义+实例)

目录 1、内联函数 2、默认形参值函数 3、重载函数 4、系统函数 1、内联函数 (1)定义 在函数前面加上 inline 申明 eg: inline double CalArea(double radius) { return 3.14*radius*radius; } void main() { double r(3.0); dou…

后缀数组的应用:[Leetcode] 321.拼接最大数(困难)

题目描述 给定长度分别为 m 和 n 的两个数组&#xff0c;其元素由 0-9 构成&#xff0c;表示两个自然数各位上的数字。现在从这两个数组中选出 k (k < m n) 个数字拼接成一个新的数&#xff0c;要求从同一个数组中取出的数字保持其在原数组中的相对顺序。 求满足该条件的…

ChatGPT 究竟在做什么?它为何能做到这些?(1)

ChatGPT能够自动生成一些表面上看起来像人类写出的文字的东西&#xff0c;是一件很厉害且出乎大家意料的事。那么&#xff0c;它是如何做到的呢&#xff1f;又是为何能做到呢&#xff1f;我在这里想大致介绍一下ChatGPT的内部机理&#xff0c;然后探讨一下为什么它能很好地生成…

ZNS 架构实现 : 解决传统SSD问题的高性能存储栈设计

声明 主页&#xff1a;元存储的博客_CSDN博客 依公开知识及经验整理&#xff0c;如有误请留言。 个人辛苦整理&#xff0c;付费内容&#xff0c;禁止转载。 内容摘要 2.2 ZNS 的架构实现 先看看 支持zone 存储的 SMR HDD 以及 支持 zonefs 的 nvme ssd 的整个存储栈形态 其中对…