Sentry for Impala Without kerberos(CDH 5.10)-白红宇

Sentry for Impala Without kerberos(CDH 5.10)

阅读量：6307 次

发布时间：2019-06-22

本文共 7304 字，大约阅读时间需要 24 分钟。

介绍

在Impala 1.1及更高版本中，可以使用Sentry项目对impala进行授权。 Sentry为Hadoop添加了细粒度的授权框架。授权决定允许哪些用户访问哪些资源，以及允许哪些操作执行哪些操作。默认情况下（未启用授权时），Impala将使用impala用户的所有读写操作，这适用于开发/测试环境，但不适用于安全生产环境。启用授权后，Impala使用运行impala-shell或其他客户端程序的用户的操作系统用户标识，并将各种权限与每个用户相关联。

环境

主机	sentry	hive	impala
hadoop1			impala-server
hadoop2			impala-server
hadoop3			impala-server
hadoop4			impala-server
hadoop5		hive-server2	impala-server
hadoop6	sentry-store		impala-catalog/impala-server

配置

hadoop1-6:/etc/default/impala

IMPALA_CATALOG_SERVICE_HOST=172.31.217.156IMPALA_STATE_STORE_HOST=172.31.217.156IMPALA_STATE_STORE_PORT=24000IMPALA_BACKEND_PORT=22000IMPALA_LOG_DIR=/var/log/impalaIMPALA_CATALOG_ARGS=" \    -sentry_config=/etc/impala/conf/sentry-site.xml \    -log_dir=${IMPALA_LOG_DIR}  \    -state_store_port=${IMPALA_STATE_STORE_PORT}  \    -state_store_host=${IMPALA_STATE_STORE_HOST}"IMPALA_STATE_STORE_ARGS=" -log_dir=${IMPALA_LOG_DIR} -state_store_port=${IMPALA_STATE_STORE_PORT}"IMPALA_SERVER_ARGS=" \    -sentry_config=/etc/impala/conf/sentry-site.xml \    -server_name=hadoop6 \    -use_local_tz_for_unix_timestamp_conversions=true \    -convert_legacy_hive_parquet_utc_timestamps=true \    -log_dir=${IMPALA_LOG_DIR} \    -catalog_service_host=${IMPALA_CATALOG_SERVICE_HOST} \    -state_store_port=${IMPALA_STATE_STORE_PORT} \    -use_statestore \    -state_store_host=${IMPALA_STATE_STORE_HOST} \    -enable_rm=true \    -rm_always_use_defaults=true \    -llama_host=172.31.217.156 \    -llama_port=15000 \    -cgroup_hierarchy_path=/cgroup/cpu \    -be_port=${IMPALA_BACKEND_PORT}" ENABLE_CORE_DUMPS=false# LIBHDFS_OPTS=-Djava.library.path=/usr/lib/impala/lib# MYSQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar# IMPALA_BIN=/usr/lib/impala/sbin# IMPALA_HOME=/usr/lib/impala# HIVE_HOME=/usr/lib/hive# HBASE_HOME=/usr/lib/hbase# IMPALA_CONF_DIR=/etc/impala/conf# HADOOP_CONF_DIR=/etc/impala/conf# HIVE_CONF_DIR=/etc/impala/conf# HBASE_CONF_DIR=/etc/impala/conf

ps：在IMPALA_SERVER_ARGS中追加-server_name和-sentry_config，在IMPALA_CATALOG_ARGS中追加-sentry_config，或者使用-authorization_policy_file指定policy文件路径(HDFS上)

hadoop1-6:/etc/impala/conf/hive-site.xml


        
             
      
       javax.jdo.option.ConnectionURL
              
      
       jdbc:mysql://172.31.217.156:3306/metastore
          
         
             
      
       javax.jdo.option.ConnectionDriverName
              
      
       com.mysql.jdbc.Driver
          
         
             
      
       javax.jdo.option.ConnectionUserName
              
      
       hive
          
         
             
      
       javax.jdo.option.ConnectionPassword
              
      
       123456
          
             
             
      
       datanucleus.readOnlyDatastore
              
      
       false
          
         
              
      
       datanucleus.fixedDatastore
              
      
       false
           
         
             
      
       datanucleus.autoCreateSchema
              
      
       true
          
         
             
      
       datanucleus.autoCreateTables
              
      
       true
          
         
             
      
       datanucleus.autoCreateColumns
              
      
       true
          
         
             
      
       mapreduce.framework.name
              
      
       yarn
          
         
             
      
       yarn.resourcemanager.resource-tracker.address
              
      
       haddop1:23125,hadoop6:23125
          
         
             
      
       hive.auto.convert.join
              
      
       true
          
         
             
      
       hive.metastore.schema.verification
              
      
       false
          
         
             
      
       hive.metastore.warehouse.dir
              
      
       /user/hive/warehouse
          
         
             
      
       hive.warehouse.subdir.inherit.perms
              
      
       true
          
         
             
      
       hive.metastore.uris
              
      
       thrift://hadoop5:9083
          
         
             
      
       hive.metastore.client.socket.timeout
              
      
       36000
          
         
             
      
       hive.zookeeper.quorum
              
      
       hadoop2:2181,hadoop3:2181,hadoop4:2181
          
         
             
      
       hive.server2.thrift.port
              
      
       10000
          
         
             
      
       hive.server2.thrift.bind.host
              
      
       0.0.0.0
          
         
             
      
       hive.server2.thrift.min.worker.threads
              
      
       2
          
         
             
      
       hive.server2.thrift.max.worker.threads
              
      
       10
          
         
               
      
       hive.metastore.authorization.storage.checks
                
      
       true
            
           
             
      
       dfs.client.read.shortcircuit
              
      
       true
          
         
             
      
       dfs.domain.socket.path
              
      
       /var/lib/hadoop-hdfs/dn_socket
          
         
             
      
       hive.execution.engine
              
      
       spark
          
         
             
      
       hive.enable.spark.execution.engine
              
      
       true
          
         
             
      
       spark.home
              
      
       /opt/programs/spark_1.6.0
          
         
         
              
      
       hive.sentry.conf.url
                
      
       file:///etc/hive/conf/sentry-site.xml
           
          
             
      
       hive.server2.session.hook
              
      
       org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook
          
         
             
      
       hive.security.authorization.task.factory
              
      
       org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl
          
         
         
             
      
       hive.metastore.filter.hook
              
      
       org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook
          
         
               
      
       hive.metastore.pre.event.listeners
                
      
       org.apache.sentry.binding.metastore.MetastoreAuthzBinding
            
         
             
      
       hive.metastore.event.listeners
                
      
       org.apache.sentry.binding.metastore.SentryMetastorePostEventListener

hadoop1-6:/etc/impala/conf/sentry-site.xml


    
    
        
      
       sentry.service.client.server.rpc-port
         
      
       8038
      
     
        
      
       sentry.service.client.server.rpc-address
         
      
       hadoop6
      
     
        
      
       sentry.service.client.server.rpc-connection-timeout
         
      
       200000
      
     
        
      
       sentry.service.security.mode
         
      
       none

启动

重启impala-catalog

/etc/init.d/impala-catalog restart

重启sentry

/etc/init.d/sentry-store restart

重启impala-server(ahdoop1-6)

/etc/init.d/impala-server restart

测试

默认权限

ps：可以看到以admin用户登录的时候，只能看到default库，在hive+sentry中建立的两个库并不能看到，要在impala中重新授权。

impala授权

CREATE ROLE impala_admin_role;GRANT ROLE impala_admin_role TO GROUP admin;GRANT ALL ON server hadoop5 to role impala_admin_role;

impala测试

ps：可以看到hive+sentry中创建的表

再次以test用户登录

ps：也是只能看到default库，并不能看到其他库，因为我们没有授权

转载于:https://my.oschina.net/guol/blog/858990

你可能感兴趣的文章

Java 编程的动态性，第4部分: 用 Javassist 进行类转换--转载