hive有两种类型的权限控制方式:

一、Storage Based Authorization in the Metastore Server

metastore元数据的形式访问hive数据,这类有MapReduce,Impala,Pig,Spark SQL,Hive Command line等方式

       其实是通过hdfs(Hadoop File System)文件系统控制-d-r-w等权限来实现,这里需要借助hdfs setfacl命令

hive 权限查询 hive查看权限_ci

       1)在hive-site.xml配置文件里配置如下选项

<property>
  <name>hive.security.metastore.authorization.manager</name>
  <value>org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider</value>
  <description>authorization manager class name to be used in the metastore for authorization.
  The user defined authorization class should implement interface
  org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider.
  </description>
 </property>
 
<property>
  <name>hive.security.metastore.authenticator.manager</name>
  <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
  <description>authenticator manager class name to be used in the metastore for authentication.
  The user defined authenticator should implement interface 
  org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider.
  </description>
</property>
 
<property>
  <name>hive.metastore.pre.event.listeners</name>
  <value> </value>
  <description>pre-event listener classes to be loaded on the metastore side to run code
  whenever databases, tables, and partitions are created, altered, or dropped.
  Set to org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
  if metastore-side authorization is desired.
  </description>
</property>

    2)使用setfacl为用户在hive数仓路径分配权限

    2.1) 创建一个新用户 test

hdfs dfs -mkdir /user/test

    2.2)分配权限用户组  用户组:用户  

hdfs dfs -chown test:test /user/test

   2.3)查看详情

hdfs dfs -ls /user/test


drwxr-xr-x   - test      test               0 2020-07-14 15:06 /user/test

  2.4)授予test对warehouse文件夹rwx权限

hadoop fs -setfacl -m user:test:rwx /user/hive/warehouse

 2.5)授予hivegrp对warehouse文件夹rwx权限

hadoo fs -setfacl -m group:hivegrp:rwx /user/hive/warehouse

二、SQL Standards Based Authorization in HiveServer2

      通过hiveserver2的方式访问hive数据,默认提供两种角色:public和admin,所有用户默认属于角色public,而授权则必须是具有角色admin的用户才可以完成(普通用户仅可以将自己获得的权限授权给其它用户),因此我们必须添加至少一个用户拥有角色admin

  1)通过在hive-site.xml中配置获得admin权限,hive配置项

 

<property>
  <name>hive.security.authorization.enabled</name>
  <value>true</value>
</property>
<property>
  <name>hive.security.authorization.createtable.owner.grants</name>
  <value>ALL</value>
</property>
<property>
  <name>hive.security.authorization.task.factory</name>
 <value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
</property>
<property>
  <name>hive.users.in.admin.role</name>
  <value>hdfs</value>
</property>

含义分别是开启权限验证;表的创建者对表拥有所有权限

hive.security.authorization.createtable.owner.grants默认值为NULL,所以表的创建者无法访问该表,这明显是不合理的。

Hive授权的核心就是用户、组、角色。

Hive中的角色和平常我们认知的角色是有区别的。Hive中的角色可以理解为一部分有一些相同“属性”的用户或组或角色的集合。这里有个递归的概念,就是一个角色可以是一些角色的集合。

用户


角色

张三

group1

admin

李四

group2

test

2)创建/删除角色命令用户和组使用的是Linux机器上的用户和组,而角色必须自己(hive)创建。

#获取管理员权限
set role admin;

#查看当前创建的所有role
show roles;

#新建角色 tests
create role tests;

#删除角色 tests
drop role tests;

3)授权/移除权限命令

grant/revoke:

GRANT ROLE role_name [, role_name] ... TO principal_specification [, principal_specification] ... 

REVOKE ROLE role_name [, role_name] ... FROM principal_specification [, principal_specification] ... 


principal_specification   :

USER user   | GROUP group   | ROLE role 

eg:
grant role outs to user out_user; 

show role grant user yinxiu; 

result:
hive> show role grant  user out_user;
OK
admin   false   1594783028000   hadoop
outs    false   1594712987000   hadoop
public  false   0
Time taken: 0.145 seconds, Fetched: 3 row(s)

HIVE支持以下权限:

权限名称

含义

ALL

所有权限

ALTER

允许修改元数据(modify metadata data of object)---表信息数据

UPDATE

允许修改物理数据(modify physical data of object)---实际数据

CREATE

允许进行Create操作

DROP

允许进行DROP操作

INDEX

允许建索引(目前还没有实现)

LOCK

当出现并发的使用允许用户进行LOCK和UNLOCK操作

SELECT

允许用户进行SELECT操作

SHOW_DATABASE

允许用户查看可用的数据库

常用的:ALL、CREATE、SELECT(目前只使这三种)

GRANT\REVOKE:

GRANT     priv_type [(column_list)]       [, priv_type [(column_list)]] ...     [ON object_type]     TO principal_specification [, principal_specification] ...     [WITH GRANT OPTION] 

REVOKE     priv_type [(column_list)]       [, priv_type [(column_list)]] ...     [ON object_type priv_level]     FROM principal_specification [, principal_specification] ... 

REVOKE ALL PRIVILEGES, GRANT OPTION     FROM user [, user] ...  



object_type:    TABLE   | DATABASE  

priv_level:    db_name   | tbl_name 


eg:
grant select on database default to user out_user;

revoke all on database default from user out_user;

4)查看授权用户

查看权限:

SHOW GRANT principal_specification [ON object_type priv_level [(column_list)]] 

HIVE操作和权限之间的关系

As of the release of Hive 0.7, only these operations require permissions, according to org.apache.hadoop.hive.ql.plan.HiveOperation:

Operation

ALTER

UPDATE

CREATE

DROP

INDEX

LOCK

SELECT

SHOW_DATABASE

LOAD

 


 

 

 

 

 

 

EXPORT

 

 

 

 

 

 


 

IMPORT



 

 

 

 

 

 

CREATE TABLE

 

 


 

 

 

 

 

CREATE TABLE AS SELECT

 


 

 

 

 


 

DROP TABLE

 

 

 


 

 

 

 

SELECT

 

 

 

 

 

 


 

ALTER TABLE ADD COLUMN


 

 

 

 

 

 

 

ALTER TABLE REPLACE COLUMN


 

 

 

 

 

 

 

ALTER TABLE RENAME


 

 

 

 

 

 

 

ALTER TABLE ADD PARTITION

 

 


 

 

 

 

 

ALTER TABLE DROP PARTITION

 

 

 


 

 

 

 

ALTER TABLE ARCHIVE

 


 

 

 

 

 

 

ALTER TABLE UNARCHIVE

 


 

 

 

 

 

 

ALTER TABLE SET PROPERTIES


 

 

 

 

 

 

 

ALTER TABLE SET SERDE


 

 

 

 

 

 

 

ALTER TABLE SET SERDEPROPERTIES


 

 

 

 

 

 

 

ALTER TABLE CLUSTER BY


 

 

 

 

 

 

 

ALTER TABLE PROTECT MODE


 

 

 

 

 

 

 

ALTER PARTITION PROTECT MODE


 

 

 

 

 

 

 

ALTER TABLE SET FILEFORMAT


 

 

 

 

 

 

 

ALTER TABLE SET LOCATION

 


 

 

 

 

 

 

ALTER PARTITION SET LOCATION

 


 

 

 

 

 

 

ALTER TABLE CONCATENATE

 


 

 

 

 

 

 

ALTER PARTITION CONCATENATE

 


 

 

 

 

 

 

SHOW DATABASE

 

 

 

 

 

 

 


LOCK TABLE

 

 

 

 

 


 

 

UNLOCK TABLE

 

 

 

 

 


 

 

eg:
show grant user out_user on database default;

result:
  1594696143000   hadoop
db_apps                         out_user        USER    SELECT  false   
Time taken: 0.031 seconds, Fetched: 1 row(s)

5)主要命令如下,记住即可:

grant select on database 数据库 to 用户名;
eg: grant select on database db_source to user zhangsan;
check eg: show grant user zhangsan on database db_source;

grant select on table 表名 to 用户名;
eg: grant select on table db_source.xx_xx_log_d to  user zhangsan; //没写db_source就是default
check eg: show grant user zhangsan on table db_source.xx_xx_log_d;


grant select on database 数据库 to  role  admin;
eg: grant select on database db_source to role admin;
check eg: show grant role admin on database db_source;

grant select on table 表名 to role  admin;
eg: grant select on table db_source.xx_xx_log_d to  role admin; //没写db_source就是default
check eg: show grant role admin on table db_source.xx_xx_log_d;

拓展beeline 直接测试:

 

beeline -u 'jdbc:hive2://192.168.10.1:2181,192.168.10.2:2181,192.168.10.3:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2' -n zhangsan --outputformat=tsv2 --showHeader=false
beeline -u 'jdbc:hive2://192.168.10.1:2181,192.168.10.2:2181,192.168.10.3:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2' -n hadoop --outputformat=tsv2 --showHeader=false