您好,登錄后才能下訂單哦!
hive增加普通用戶,只賦予select權(quán)限,無create,drop等權(quán)限
剛接到客戶的要求,提出增加4個(gè)普通hive用戶,具有select權(quán)限,不具有createdatabase/table,dropdatabase/table的權(quán)限,只保留amos用戶具有select,create,drop、revoke所有權(quán)限。
往上搜索了一大堆,最后解決辦法是:
1、首先amos用戶登錄hive,賦予自己對(duì)數(shù)據(jù)庫dmp所有權(quán)限
[amos@DMP-GATEWAY amos]$ cd /opt/amos/hive/bin/ [amos@DMP-GATEWAY bin]$ ./hive hive> grant all on database dmp to user amos;
2、linux添加普通用戶mcduser1
在centos6.7系統(tǒng)上增加mcduser1用戶:useradd mcduser1
3、修改hadoop上用戶的權(quán)限
hadoop fs -chmod -R 777 /user/hive/warehouse hadoop fs -chmod -R 777 /tmp
4、修改hive配置文件hive-site.xml,增加權(quán)限控制,然后重啟hive服務(wù):metastore,HiveServer2,hwi 。
<property> <name>hive.security.authorization.enabled</name> <value>true</value> <description>enableordisable the hive clientauthorization</description> </property> <property> <name>hive.security.authorization.createtable.owner.grants</name> <value>ALL</value> <description>theprivileges automatically granted to theownerwhenever a table gets created. Anexample like "select,drop"willgrant select and drop privilege to theowner of thetable</description> </property>
5、用超級(jí)用戶amos登錄hive,給普通用戶mcduser1賦予select權(quán)限
[amos@DMP-GATEWAY amos]$ cd /opt/amos/hive/bin/ [amos@DMP-GATEWAY bin]$ ./hive hive> grant select on database dmp to user mcduser1;
注意:如果權(quán)限賦于錯(cuò)誤,可以用revoke刪除權(quán)限
hive> revoke select on database dmp from user amos;
6、測(cè)試發(fā)現(xiàn)mcduser1用戶使用select count(*)啟動(dòng)的mapreduce,但是會(huì)自動(dòng)失敗,最后看yarn日志錯(cuò)誤是:
Diagnostics: Application application_1484125831039_0001 failed 3 times due to AM Containerfor appattempt_1484125831039_0001_000003 exited with exitCode: -1000 For more detailed output, check application trackingpage:http://DMP-DEV01:8088/cluster/app/application_1484125831039_0001Then,click on links to logs of each attempt. Diagnostics: Application application_1484125831039_0001 initialization failed(exitCode=255) with output: User mcduser1 not found Failing this attempt. Failing the application.
原來gatewany服務(wù)器上有mcduser1用戶,但是在nodemanager上面沒有該用戶,使用ansible在所有的node服務(wù)器上添加該用戶,注意,使用useradd-s /sbin/nologin mcduser1,不允許mcduser1在nodemanager上登錄。
[root@mcddmpfe01 ~]# ansible amosDnNodes -m shell -a'useradd -s /sbin/nologin mcduser1' /opt/amos/python2.7/lib/python2.7/site-packages/pycrypto-2.6.1-py2.7-linux-x86_64.egg/Crypto/Util/number.py:57:PowmInsecureWarning: Not using mpz_powm_sec. You should rebuild us ing libgmp >= 5 to avoid timing attack vulnerability. mcddmpnode05 | SUCCESS | rc=0 >> mcddmpnode01 | SUCCESS | rc=0 >> mcddmpnode03 | SUCCESS | rc=0 >> mcddmpnode02 | SUCCESS | rc=0 >> mcddmpnode04 | SUCCESS | rc=0 >> mcddmpnode07 | SUCCESS | rc=0 >> mcddmpnode06 | SUCCESS | rc=0 >> mcddmpnode08 | SUCCESS | rc=0 >>
測(cè)試通過,普通用戶可以在hive上通過select count(*) from table啟動(dòng)mapreduce程序。
hive> select count(*) from store_master; Query ID = hiveuser1_20170112122713_fea2188b-7e19-4a9a-896d-ec472c60d0ca Total jobs = 1 Launching Job 1 out of 1 Number of reduce tasks determined at compile time: 1 In order to change the average load for a reducer (in bytes): sethive.exec.reducers.bytes.per.reducer=<number> In order to limit the maximum number of reducers: sethive.exec.reducers.max=<number> In order to set a constant number of reducers: setmapreduce.job.reduces=<number> Starting Job = job_1484051373423_1338, Tracking URL =http://mcddmpfe02:8088/proxy/application_1484051373423_1338/ Kill Command = /opt/amos/hadoop/bin/hadoop job -killjob_1484051373423_1338 Hadoop job information for Stage-1: number of mappers: 1; number of reducers: 1 2017-01-12 12:27:36,289 Stage-1 map = 0%, reduce = 0% 2017-01-12 12:27:48,349 Stage-1 map = 100%, reduce = 0%, Cumulative CPU4.01 sec 2017-01-12 12:27:59,130 Stage-1 map = 100%, reduce = 100%, Cumulative CPU7.86 sec MapReduce Total cumulative CPU time: 7 seconds 860 msec Ended Job = job_1484051373423_1338 MapReduce Jobs Launched: Stage-Stage-1: Map: 1 Reduce: 1 Cumulative CPU: 7.86 sec HDFS Read: 0 HDFS Write: 0 SUCCESS Total MapReduce CPU Time Spent: 7 seconds 860 msec OK 2302 Time taken: 47.764 seconds, Fetched: 1 row(s) hive> create database test; Authorization failed:No privilege 'Create' found for outputs { }. Use SHOWGRANT to get more details.
8、至于用戶的Hive操作日志,目前記錄在用戶目錄的.hivehistory文件下即/home/$user/.hivehistory。
例如:mcduser1用戶在hive命令行的操作日志記錄在:/home/hiveuser1/.hivehistoy
9、現(xiàn)在發(fā)現(xiàn)一個(gè)問題,就是普通用戶可以添加權(quán)限,這個(gè)問題還沒有找到合適的解決辦法,可能需要開發(fā)寫一段hook程序了。
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。