1. 程式人生 > >Sentry 許可權模型之授權策略SQL

Sentry 許可權模型之授權策略SQL

接上一篇hive 整合sentry繼續來看下sentry的授權體系

使用hive使用者登陸,在這個hive使用者是在$HIVE_HOME/conf/sentry-site.xml中配置,

  <property>
    <name>sentry.metastore.service.users</name>
    <value>hive</value>
  </property>

,hive是用於授權的賬號,可以理解為超級使用者

beeline -u 'jdbc:hive2://localhost:10000' -n hive

檢視所有roles,當前沒有任何role

0: jdbc:hive2://localhost:10000> show roles;
+-------+
| role  |
+-------+
+-------+

建立admin role:admin_role,

create role admin_role;
GRANT ALL ON SERVER server1 TO ROLE admin_role;

admin_role擁有server1上的所有許可權,server1是再sentry-site.xml中配置

<property>
    <name>sentry.hive.server</name>
    <value>server1</value>
  </property>

簡單理解擁有admin_role的使用者組,擁有所有許可權
將hive使用者組設定為管理員使用者,並使用hive使用者建立資料庫test

GRANT ROLE admin_role TO GROUP hive;
create database test;


0: jdbc:hive2://localhost:10000> create database test;
No rows affected (0.172 seconds)
0: jdbc:hive2://localhost:10000> show databases;
+----------------+
| database_name  |
+----------------+
| default        |
| filtered       |
| sensitive      |
| test           |
| test1          |
+----------------+
5 rows selected (0.334 seconds)

建立測試role,並將xn_role分配給xn使用者組

0: jdbc:hive2://localhost:10000> create role xn_role;
No rows affected (0.095 seconds)
0: jdbc:hive2://localhost:10000> GRANT ROLE xn_role TO GROUP xn;
No rows affected (0.118 seconds)

xn這個擁有xn_role,但是xn_role沒有任何許可權

使用xn使用者登陸
beeline -u 'jdbc:hive2://localhost:10000' -n xn

show databases沒有任何庫列表輸出
0: jdbc:hive2://localhost:10000> show databases;
+----------------+
| database_name  |
+----------------+
| default        |
+----------------+
1 row selected (0.71 seconds)

並且也沒有建庫許可權

0: jdbc:hive2://localhost:10000> create database xn;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
 User xn does not have privileges for CREATEDATABASE
 The required privileges: Server=server1->action=create->grantOption=false; (state=42000,code=40000)

現在用hive使用者賬戶建立資料庫xn,並將xn_role的許可權附給xn;

0: jdbc:hive2://localhost:10000> create database xn
. . . . . . . . . . . . . . . .> ;
No rows affected (0.196 seconds)
0: jdbc:hive2://localhost:10000> GRANT ALL ON DATABASE xn TO ROLE xn_role;
No rows affected (0.1 seconds)
0: jdbc:hive2://localhost:10000> GRANT ROLE xn_role TO GROUP xn;
No rows affected (0.135 seconds)

使用xn使用者登陸

beeline -u 'jdbc:hive2://localhost:10000' -n xn
0: jdbc:hive2://localhost:10000> show databases;
+----------------+
| database_name  |
+----------------+
| default        |
| xn             |
+----------------+
2 rows selected (0.651 seconds)
0: jdbc:hive2://localhost:10000> 

檢視當前使用者roles

0: jdbc:hive2://localhost:10000> SHOW CURRENT ROLES;
+----------+
|   role   |
+----------+
| xn_role  |
+----------+
1 row selected (0.119 seconds)

檢視xn_role擁有的許可權

0: jdbc:hive2://localhost:10000> SHOW GRANT ROLE xn_role;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   grant_time   | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| xn        |        |            |         | xn_role         | ROLE            | *          | false         | 1540965346000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
1 row selected (0.112 seconds)

給xn_role新增表sensitive.events查詢許可權

GRANT SELECT ON table sensitive.events TO ROLE xn_role;

0: jdbc:hive2://localhost:10000>  SHOW GRANT ROLE xn_role;
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
|  database  |  table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   grant_time   | grantor  |
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| xn         |         |            |         | xn_role         | ROLE            | *          | false         | 1540965346000  | --       |
| sensitive  | events  |            |         | xn_role         | ROLE            | SELECT     | false         | 1540971733000  | --       |
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
0: jdbc:hive2://localhost:10000> select * from sensitive.events;
+---------------+-----------------+----------------+----------------+
|   events.ip   | events.country  | events.client  | events.action  |
+---------------+-----------------+----------------+----------------+
| 10.1.2.3      | US              | android        | createNote     |
| 10.200.88.99  | FR              | windows        | updateNote     |
| 10.1.2.3      | US              | android        | updateNote     |
| 10.200.88.77  | FR              | ios            | createNote     |
| 10.1.4.5      | US              | windows        | updateTag      |
+---------------+-----------------+----------------+----------------+

可以看到xn這個使用者已經可以查詢表sensitive.events,之前授權的時候只給了select許可權,現在來嘗試插入一些資料,首先先建立一個表xn.events

0: jdbc:hive2://localhost:10000> create table xn.events as select * from sensitive.events;
WARNING: Hive-on-MR is deprecated in Hive 2 and may not be available in the future versions. Consider using a different execution engine (i.e. spark, tez) or using Hive 1.X releases.
No rows affected (18.355 seconds)
0: jdbc:hive2://localhost:10000> 

嘗試插入資料

0: jdbc:hive2://localhost:10000> insert into sensitive.events select * from xn.events;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
 User xn does not have privileges for QUERY
 The required privileges: Server=server1->Db=sensitive->Table=events->action=insert->grantOption=false; (state=42000,code=40000)

現在用hive賬號給xn_role新增對錶sensitive.events的所有許可權

0: jdbc:hive2://localhost:10000>  GRANT ALL ON table sensitive.events TO ROLE xn_role;
No rows affected (0.083 seconds)

檢視xn使用者許可權

0: jdbc:hive2://localhost:10000>  SHOW GRANT ROLE xn_role;
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
|  database  |  table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   grant_time   | grantor  |
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| xn         |         |            |         | xn_role         | ROLE            | *          | false         | 1540965346000  | --       |
| sensitive  | events  |            |         | xn_role         | ROLE            | *          | false         | 1540972283000  | --       |
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+

可以看到xn已經又有了對錶sensitive.events的所有許可權

0: jdbc:hive2://localhost:10000> insert into sensitive.events select * from xn.events;
WARNING: Hive-on-MR is deprecated in Hive 2 and may not be available in the future versions. Consider using a different execution engine (i.e. spark, tez) or using Hive 1.X releases.
No rows affected (17.397 seconds)
0: jdbc:hive2://localhost:10000> select * from sensitive.events;
+---------------+-----------------+----------------+----------------+
|   events.ip   | events.country  | events.client  | events.action  |
+---------------+-----------------+----------------+----------------+
| 10.1.2.3      | US              | android        | createNote     |
| 10.200.88.99  | FR              | windows        | updateNote     |
| 10.1.2.3      | US              | android        | updateNote     |
| 10.200.88.77  | FR              | ios            | createNote     |
| 10.1.4.5      | US              | windows        | updateTag      |
| 10.1.2.3      | US              | android        | createNote     |
| 10.200.88.99  | FR              | windows        | updateNote     |
| 10.1.2.3      | US              | android        | updateNote     |
| 10.200.88.77  | FR              | ios            | createNote     |
| 10.1.4.5      | US              | windows        | updateTag      |
| 10.1.2.3      | US              | android        | createNote     |
| 10.200.88.99  | FR              | windows        | updateNote     |
| 10.1.2.3      | US              | android        | updateNote     |
| 10.200.88.77  | FR              | ios            | createNote     |
| 10.1.4.5      | US              | windows        | updateTag      |
+---------------+-----------------+----------------+----------------+
15 rows selected (0.412 seconds)
0: jdbc:hive2://localhost:10000>

資料已經插入到表sensitive.events

現在來看下怎樣收回許可權,首先來收回xn_role對錶的所有許可權

0: jdbc:hive2://localhost:10000> REVOKE ALL ON Table sensitive.events from role xn_role;
No rows affected (0.125 seconds)

檢視xn_role的許可權

0: jdbc:hive2://localhost:10000>  SHOW GRANT ROLE xn_role;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   grant_time   | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| xn        |        |            |         | xn_role         | ROLE            | *          | false         | 1540965346000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
0: jdbc:hive2://localhost:10000> select * from sensitive.events;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
 User xn does not have privileges for QUERY
 The required privileges: Server=server1->Db=sensitive->Table=events->action=select->grantOption=false; (state=42000,code=40000)

注意

這裡賬號xn,test,hive均為linux使用者,在指定user使用beeline時,linux系統必須要有對應的使用者組,否則會報group not exists的錯誤,或者授權已經成功,但是許可權不生效