Sentry 許可權模型之授權策略SQL
接上一篇hive 整合sentry繼續來看下sentry的授權體系
使用hive使用者登陸,在這個hive使用者是在$HIVE_HOME/conf/sentry-site.xml中配置,
<property>
<name>sentry.metastore.service.users</name>
<value>hive</value>
</property>
,hive是用於授權的賬號,可以理解為超級使用者
beeline -u 'jdbc:hive2://localhost:10000' -n hive
檢視所有roles,當前沒有任何role
0: jdbc:hive2://localhost:10000> show roles;
+-------+
| role |
+-------+
+-------+
建立admin role:admin_role,
create role admin_role;
GRANT ALL ON SERVER server1 TO ROLE admin_role;
admin_role擁有server1上的所有許可權,server1是再sentry-site.xml中配置
<property> <name>sentry.hive.server</name> <value>server1</value> </property>
簡單理解擁有admin_role的使用者組,擁有所有許可權
將hive使用者組設定為管理員使用者,並使用hive使用者建立資料庫test
GRANT ROLE admin_role TO GROUP hive; create database test; 0: jdbc:hive2://localhost:10000> create database test; No rows affected (0.172 seconds) 0: jdbc:hive2://localhost:10000> show databases; +----------------+ | database_name | +----------------+ | default | | filtered | | sensitive | | test | | test1 | +----------------+ 5 rows selected (0.334 seconds)
建立測試role,並將xn_role分配給xn使用者組
0: jdbc:hive2://localhost:10000> create role xn_role;
No rows affected (0.095 seconds)
0: jdbc:hive2://localhost:10000> GRANT ROLE xn_role TO GROUP xn;
No rows affected (0.118 seconds)
xn這個擁有xn_role,但是xn_role沒有任何許可權
使用xn使用者登陸
beeline -u 'jdbc:hive2://localhost:10000' -n xn
show databases沒有任何庫列表輸出
0: jdbc:hive2://localhost:10000> show databases;
+----------------+
| database_name |
+----------------+
| default |
+----------------+
1 row selected (0.71 seconds)
並且也沒有建庫許可權
0: jdbc:hive2://localhost:10000> create database xn;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User xn does not have privileges for CREATEDATABASE
The required privileges: Server=server1->action=create->grantOption=false; (state=42000,code=40000)
現在用hive使用者賬戶建立資料庫xn,並將xn_role的許可權附給xn;
0: jdbc:hive2://localhost:10000> create database xn
. . . . . . . . . . . . . . . .> ;
No rows affected (0.196 seconds)
0: jdbc:hive2://localhost:10000> GRANT ALL ON DATABASE xn TO ROLE xn_role;
No rows affected (0.1 seconds)
0: jdbc:hive2://localhost:10000> GRANT ROLE xn_role TO GROUP xn;
No rows affected (0.135 seconds)
使用xn使用者登陸
beeline -u 'jdbc:hive2://localhost:10000' -n xn
0: jdbc:hive2://localhost:10000> show databases;
+----------------+
| database_name |
+----------------+
| default |
| xn |
+----------------+
2 rows selected (0.651 seconds)
0: jdbc:hive2://localhost:10000>
檢視當前使用者roles
0: jdbc:hive2://localhost:10000> SHOW CURRENT ROLES;
+----------+
| role |
+----------+
| xn_role |
+----------+
1 row selected (0.119 seconds)
檢視xn_role擁有的許可權
0: jdbc:hive2://localhost:10000> SHOW GRANT ROLE xn_role;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| xn | | | | xn_role | ROLE | * | false | 1540965346000 | -- |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
1 row selected (0.112 seconds)
給xn_role新增表sensitive.events查詢許可權
GRANT SELECT ON table sensitive.events TO ROLE xn_role;
0: jdbc:hive2://localhost:10000> SHOW GRANT ROLE xn_role;
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| xn | | | | xn_role | ROLE | * | false | 1540965346000 | -- |
| sensitive | events | | | xn_role | ROLE | SELECT | false | 1540971733000 | -- |
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
0: jdbc:hive2://localhost:10000> select * from sensitive.events;
+---------------+-----------------+----------------+----------------+
| events.ip | events.country | events.client | events.action |
+---------------+-----------------+----------------+----------------+
| 10.1.2.3 | US | android | createNote |
| 10.200.88.99 | FR | windows | updateNote |
| 10.1.2.3 | US | android | updateNote |
| 10.200.88.77 | FR | ios | createNote |
| 10.1.4.5 | US | windows | updateTag |
+---------------+-----------------+----------------+----------------+
可以看到xn這個使用者已經可以查詢表sensitive.events,之前授權的時候只給了select許可權,現在來嘗試插入一些資料,首先先建立一個表xn.events
0: jdbc:hive2://localhost:10000> create table xn.events as select * from sensitive.events;
WARNING: Hive-on-MR is deprecated in Hive 2 and may not be available in the future versions. Consider using a different execution engine (i.e. spark, tez) or using Hive 1.X releases.
No rows affected (18.355 seconds)
0: jdbc:hive2://localhost:10000>
嘗試插入資料
0: jdbc:hive2://localhost:10000> insert into sensitive.events select * from xn.events;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User xn does not have privileges for QUERY
The required privileges: Server=server1->Db=sensitive->Table=events->action=insert->grantOption=false; (state=42000,code=40000)
現在用hive賬號給xn_role新增對錶sensitive.events的所有許可權
0: jdbc:hive2://localhost:10000> GRANT ALL ON table sensitive.events TO ROLE xn_role;
No rows affected (0.083 seconds)
檢視xn使用者許可權
0: jdbc:hive2://localhost:10000> SHOW GRANT ROLE xn_role;
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| xn | | | | xn_role | ROLE | * | false | 1540965346000 | -- |
| sensitive | events | | | xn_role | ROLE | * | false | 1540972283000 | -- |
+------------+---------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
可以看到xn已經又有了對錶sensitive.events的所有許可權
0: jdbc:hive2://localhost:10000> insert into sensitive.events select * from xn.events;
WARNING: Hive-on-MR is deprecated in Hive 2 and may not be available in the future versions. Consider using a different execution engine (i.e. spark, tez) or using Hive 1.X releases.
No rows affected (17.397 seconds)
0: jdbc:hive2://localhost:10000> select * from sensitive.events;
+---------------+-----------------+----------------+----------------+
| events.ip | events.country | events.client | events.action |
+---------------+-----------------+----------------+----------------+
| 10.1.2.3 | US | android | createNote |
| 10.200.88.99 | FR | windows | updateNote |
| 10.1.2.3 | US | android | updateNote |
| 10.200.88.77 | FR | ios | createNote |
| 10.1.4.5 | US | windows | updateTag |
| 10.1.2.3 | US | android | createNote |
| 10.200.88.99 | FR | windows | updateNote |
| 10.1.2.3 | US | android | updateNote |
| 10.200.88.77 | FR | ios | createNote |
| 10.1.4.5 | US | windows | updateTag |
| 10.1.2.3 | US | android | createNote |
| 10.200.88.99 | FR | windows | updateNote |
| 10.1.2.3 | US | android | updateNote |
| 10.200.88.77 | FR | ios | createNote |
| 10.1.4.5 | US | windows | updateTag |
+---------------+-----------------+----------------+----------------+
15 rows selected (0.412 seconds)
0: jdbc:hive2://localhost:10000>
資料已經插入到表sensitive.events
現在來看下怎樣收回許可權,首先來收回xn_role對錶的所有許可權
0: jdbc:hive2://localhost:10000> REVOKE ALL ON Table sensitive.events from role xn_role;
No rows affected (0.125 seconds)
檢視xn_role的許可權
0: jdbc:hive2://localhost:10000> SHOW GRANT ROLE xn_role;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| xn | | | | xn_role | ROLE | * | false | 1540965346000 | -- |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
0: jdbc:hive2://localhost:10000> select * from sensitive.events;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User xn does not have privileges for QUERY
The required privileges: Server=server1->Db=sensitive->Table=events->action=select->grantOption=false; (state=42000,code=40000)
注意
這裡賬號xn,test,hive均為linux使用者,在指定user使用beeline時,linux系統必須要有對應的使用者組,否則會報group not exists的錯誤,或者授權已經成功,但是許可權不生效