大数据集群之Sentry授权安全
虽然HDFS授权和使用ACL的服务级授权确实在Hadoop用户授权方面起着至关重要的作用,但在Hadoop中确实没有总体授权系统。Kerberos是配置大数据集群的认证安全。该篇博客用来讲解大数据集群的授权安全。认证安全是解决谁可以访问集群,而授权安全则是用来解决可以访问集群的人(即经过安全认证的人),可以做什么事情。
Apache Sentry力图为Hadoop环境提供统一的授权方式,从而Hadoop管理员可以准确指定用户在Hadoop系统中可以执行的操作。Sentry基于角色的访问系统使管理员能够在细粒度级别控制用户访问。为了在集群中设置细粒度授权,必须对数据进行分类,并指定需要访问特定数据集的用户及所需的访问级别。可以综合使用Hive和Sentry来指定细粒度的授权。
一、Sentry基础
1、什么是Sentry
Apache Sentry为存储在HDFS中的数据提供了细粒度的基于角色的授权。
Sentry为HDFS数据提供基于角色授权控制(RBAC)。
Sentry目前可以与Apache Hive, Hive Metastore/ HCatalog、Apache Solr、Impala和HDFS良好结合。
Sentry被设计作为Hadoop组件的可插拔授权引擎。它允许用户定义授权 规则,来验证用户或应用对Hadoop资源的访问请求。Sentry是高度模块化的,可支持Hadoop中各种数据模型的授权。2、Sentry相关概念
Authentication
验证凭证以可靠地鉴别一个用户
Authorization
限制一个用户对给定资源的存取权限
User
通过底层认证系统来识别的个体
Group
一组User,由认证系统管理
Privilege
一条指令或规则,以允许对某对象的存取
Role
一组Privilege,或一个包含多条存取规则的模版
Authorization models
定义了受授权规则约束的对象和允许操作的粒度 如在SQL模型中,对象可以是数据库或表,操作 可以是SELECT、INSERT、CREATE。在Search模 型中,对象可以是索引、配置、集合、文档,操 作可以是query和update。3、授权过程主要有三个部件参与
Sentry Server:
Sertry RPC Server管理授权元数据。它支持检索和操作元数据的安全接口。在CDH5.13及以上,可以配置多个Sentry Server以获得高可用性。
Data Engine:
是一个数据处理应用,例如Hive或Impala,其需要授权访问数据或元数据资源。Data Engine加载Sentry Plugin,所有访问资源的客户端请求都被截获并路由到Sentry Plugin进行验证。
Sentry Plugin:
在Data Engine中运行。它提供了处理Sentry Server 中存储的授权元数据的接口,并且包括了使用从服务器检索的授权元数据来评估访问请求的授权策略引擎。
4、Sentry的授权控制过程
Sentry依靠底层认证系统来鉴别用户,如Kerberos或LDAP。它也使用Hadoop中配置的组映射机制,以保证Sentry和其他Hadoop组件看到相同的组映射。
Sentry使用基于角色的存取控制(RBAC),这是一种企业内管理大量用户和数据对象的授权有力机制。当建立一个新用户时,只需要将其加入一个指定的组,即可使该用户具备该组所拥有的角色。
因此Sentry的授权控制过程为:
1、建立用户时,为其分配一个组
2、创建Sentry的角色
3、将一个或多个细粒度的权限赋给角色
4、将一个或多个角色赋给组。这样该组下的用户就具备这些角色对应的权限了。二、Sentry的配置
1、添加虚拟主机对应的解析
在本机中添加对应服务器的IP地址与HOST
2、Hue中导入测试数据
详情请参考:3、添加Sentry服务
详情请参考:三、配置Sentry授权案例
1、在集群的每个节点创建相应的用户和组
[root@hexindai-c12-124 ~]# groupadd inserter
[root@hexindai-c12-124 ~]# useradd -u 1005 -g selector cdh001
[root@hexindai-c12-124 ~]# useradd -u 1006 -g inserter lisi
[root@hexindai-c12-124 ~]##建议将用户uid大于1000,因为yarn默认配置1000以下是不允许提交任务的!
#注意在每个节点上都需要执行2、进行Kerberos认证
启用Kerberos请参考:[root@hexindai-c12-126 ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@hexindai-c12-126 ~]#
[root@hexindai-c12-126 ~]# find / -name hive.keytab
/run/cloudera-scm-agent/process/535-hive-HIVEMETASTORE/hive.keytab
/run/cloudera-scm-agent/process/515-hive-HIVEMETASTORE/hive.keytab
/run/cloudera-scm-agent/process/493-hive-HIVEMETASTORE/hive.keytab
/run/cloudera-scm-agent/process/469-hive-HIVEMETASTORE/hive.keytab
[root@hexindai-c12-126 ~]#
[root@hexindai-c12-126 ~]# kinit -kt /run/cloudera-scm-agent/process/535-hive-HIVEMETASTORE/hive.keytab hive/hexindai-c12-126@HXD.COM #使用Keytab进行认证
[root@hexindai-c12-126 ~]#
[root@hexindai-c12-126 ~]# klist #执行命令后有结果说明认证成功!
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hive/hexindai-c12-126@HXD.COM
Valid starting Expires Service principal
07/23/2019 21:53:22 07/24/2019 21:53:21 krbtgt/HXD.COM@HXD.COM
renew until 07/30/2019 21:53:21
[root@hexindai-c12-126 ~]#3、进行Kerberos认证后,使用Beeline工具登录Hive
#Hive Server2在127上,需要连接到127
[root@hexindai-c12-126 ~]# beeline
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
Beeline version 1.1.0-cdh5.15.1 by Apache Hive
beeline> !connect jdbc:hive2://hexindai-c12-127:10000/default;principal=hive/hexindai-c12-127@HXD.COM
scan complete in 19ms
Connecting to jdbc:hive2://hexindai-c12-127:10000/default;principal=hive/hexindai-c12-127@HXD.COM
Connected to: Apache Hive (version 1.1.0-cdh5.15.1)
Driver: Hive JDBC (version 1.1.0-cdh5.15.1)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://hexindai-c12-127:10000/defaul> use default;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User hive does not have privileges for SWITCHDATABASE
The required privileges: Server=server1->Db=*->Table=+->Column=*->action=select;Server=server1->Db=*->Table=+->Column=*->action=insert; (state=42000,code=40000)
0: jdbc:hive2://hexindai-c12-127:10000/defaul> USE default;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User hive does not have privileges for SWITCHDATABASE
The required privileges: Server=server1->Db=*->Table=+->Column=*->action=select;Server=server1->Db=*->Table=+->Column=*->action=insert; (state=42000,code=40000)
0: jdbc:hive2://hexindai-c12-127:10000/defaul> SHOW TABLES;
INFO : Compiling command(queryId=hive_20190723220808_63db8234-bf27-4d65-a9da-42d66684c91d): SHOW TABLES
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:tab_name, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=hive_20190723220808_63db8234-bf27-4d65-a9da-42d66684c91d); Time taken: 0.45 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723220808_63db8234-bf27-4d65-a9da-42d66684c91d): SHOW TABLES
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723220808_63db8234-bf27-4d65-a9da-42d66684c91d); Time taken: 0.287 seconds
INFO : OK
+-----------+--+
| tab_name |
+-----------+--+
+-----------+--+
No rows selected (0.957 seconds)
0: jdbc:hive2://hexindai-c12-127:10000/defaul>
0: jdbc:hive2://hexindai-c12-127:10000/defaul> show databases;
INFO : Compiling command(queryId=hive_20190723221313_08cd857e-01ae-47cd-b09c-2c0414b4a527): show databases
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=hive_20190723221313_08cd857e-01ae-47cd-b09c-2c0414b4a527); Time taken: 0.154 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723221313_08cd857e-01ae-47cd-b09c-2c0414b4a527): show databases
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723221313_08cd857e-01ae-47cd-b09c-2c0414b4a527); Time taken: 0.155 seconds
INFO : OK
+----------------+--+
| database_name |
+----------------+--+
| default |
+----------------+--+
1 row selected (0.369 seconds)
0: jdbc:hive2://hexindai-c12-127:10000/defaul>4、创建admin角色并将其权限赋值给hive组
0: jdbc:hive2://hexindai-c12-127:10000/defaul> create role admin;
INFO : Compiling command(queryId=hive_20190723221717_2de3d484-f8c3-4cd2-a53e-b85069ad40d9): create role admin
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20190723221717_2de3d484-f8c3-4cd2-a53e-b85069ad40d9); Time taken: 0.138 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723221717_2de3d484-f8c3-4cd2-a53e-b85069ad40d9): create role admin
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723221717_2de3d484-f8c3-4cd2-a53e-b85069ad40d9); Time taken: 0.084 seconds
INFO : OK
No rows affected (0.225 seconds)
0: jdbc:hive2://hexindai-c12-127:10000/defaul>
0: jdbc:hive2://hexindai-c12-127:10000/defaul> grant all on server server1 to role admin;
INFO : Compiling command(queryId=hive_20190723221818_ac09ced0-65d1-4df0-9f89-ccda303d996d): grant all on server server1 to role admin
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20190723221818_ac09ced0-65d1-4df0-9f89-ccda303d996d); Time taken: 0.112 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723221818_ac09ced0-65d1-4df0-9f89-ccda303d996d): grant all on server server1 to role admin
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723221818_ac09ced0-65d1-4df0-9f89-ccda303d996d); Time taken: 0.156 seconds
INFO : OK
No rows affected (0.295 seconds)
0: jdbc:hive2://hexindai-c12-127:10000/defaul>
0: jdbc:hive2://hexindai-c12-127:10000/defaul>
0: jdbc:hive2://hexindai-c12-127:10000/defaul> grant role admin to group hive;
INFO : Compiling command(queryId=hive_20190723221818_422cf9dd-4d9b-44a2-8162-38b4da2e79e5): grant role admin to group hive
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20190723221818_422cf9dd-4d9b-44a2-8162-38b4da2e79e5); Time taken: 0.149 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723221818_422cf9dd-4d9b-44a2-8162-38b4da2e79e5): grant role admin to group hive
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723221818_422cf9dd-4d9b-44a2-8162-38b4da2e79e5); Time taken: 0.104 seconds
INFO : OK
No rows affected (0.252 seconds)
0: jdbc:hive2://hexindai-c12-127:10000/defaul>
0: jdbc:hive2://hexindai-c12-127:10000/defaul>5、创建reads角色(读取我们之前使用hue生成default库的测试数据)并赋值给selector组
0: jdbc:hive2://hexindai-c12-127:10000/defaul> create role reads;
INFO : Compiling command(queryId=hive_20190723222020_d07c4f97-841e-452c-9f2b-dd2d7f3ac76e): create role reads
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20190723222020_d07c4f97-841e-452c-9f2b-dd2d7f3ac76e); Time taken: 0.083 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723222020_d07c4f97-841e-452c-9f2b-dd2d7f3ac76e): create role reads
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723222020_d07c4f97-841e-452c-9f2b-dd2d7f3ac76e); Time taken: 0.087 seconds
INFO : OK
No rows affected (0.192 seconds)
0: jdbc:hive2://hexindai-c12-127:10000/defaul> revoke all on database default from role reads;
INFO : Compiling command(queryId=hive_20190723222121_d69ab26d-1ed2-495e-99b5-47e331bda2d7): revoke all on database default from role reads
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20190723222121_d69ab26d-1ed2-495e-99b5-47e331bda2d7); Time taken: 0.112 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723222121_d69ab26d-1ed2-495e-99b5-47e331bda2d7): revoke all on database default from role reads
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723222121_d69ab26d-1ed2-495e-99b5-47e331bda2d7); Time taken: 0.055 seconds
INFO : OK
No rows affected (0.166 seconds)
0: jdbc:hive2://hexindai-c12-127:10000/defaul>
0: jdbc:hive2://hexindai-c12-127:10000/defaul>
0: jdbc:hive2://hexindai-c12-127:10000/defaul> grant select on database default to role reads;
INFO : Compiling command(queryId=hive_20190723222121_06cb1845-a798-4bdb-b99e-38d9babf3782): grant select on database default to role reads
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20190723222121_06cb1845-a798-4bdb-b99e-38d9babf3782); Time taken: 0.061 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723222121_06cb1845-a798-4bdb-b99e-38d9babf3782): grant select on database default to role reads
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723222121_06cb1845-a798-4bdb-b99e-38d9babf3782); Time taken: 0.054 seconds
INFO : OK
No rows affected (0.125 seconds)
0: jdbc:hive2://hexindai-c12-127:10000/defaul> grant role reads to group selector;
INFO : Compiling command(queryId=hive_20190723222222_e6b9af19-d713-43bc-96d7-7f88740612fb): grant role reads to group selector
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20190723222222_e6b9af19-d713-43bc-96d7-7f88740612fb); Time taken: 0.109 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723222222_e6b9af19-d713-43bc-96d7-7f88740612fb): grant role reads to group selector
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723222222_e6b9af19-d713-43bc-96d7-7f88740612fb); Time taken: 0.017 seconds
INFO : OK
No rows affected (0.127 seconds)
0: jdbc:hive2://hexindai-c12-127:10000/defaul>
0: jdbc:hive2://hexindai-c12-127:10000/defaul>6、创建writes角色(读写default库下的sample_08表)并赋值给inserter组
0: jdbc:hive2://hexindai-c12-127:10000/defaul>
0: jdbc:hive2://hexindai-c12-127:10000/defaul> create role writes;
INFO : Compiling command(queryId=hive_20190723222525_e2205b27-b6ed-4a5d-ab0b-760ad5617845): create role writes
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20190723222525_e2205b27-b6ed-4a5d-ab0b-760ad5617845); Time taken: 0.065 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723222525_e2205b27-b6ed-4a5d-ab0b-760ad5617845): create role writes
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723222525_e2205b27-b6ed-4a5d-ab0b-760ad5617845); Time taken: 0.1 seconds
INFO : OK
No rows affected (0.181 seconds)
0: jdbc:hive2://hexindai-c12-127:10000/defaul> revoke all on database default from role writes;
INFO : Compiling command(queryId=hive_20190723222626_ec3280fb-d4a6-440f-983d-eeaeb700e10a): revoke all on database default from role writes
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20190723222626_ec3280fb-d4a6-440f-983d-eeaeb700e10a); Time taken: 0.167 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723222626_ec3280fb-d4a6-440f-983d-eeaeb700e10a): revoke all on database default from role writes
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723222626_ec3280fb-d4a6-440f-983d-eeaeb700e10a); Time taken: 0.013 seconds
INFO : OK
No rows affected (0.179 seconds)
0: jdbc:hive2://hexindai-c12-127:10000/defaul> grant all on default.sample_08 to role writes;
INFO : Compiling command(queryId=hive_20190723222626_dae44b16-40a5-4c9d-b49b-905be4f8a409): grant all on default.sample_08 to role writes
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20190723222626_dae44b16-40a5-4c9d-b49b-905be4f8a409); Time taken: 0.142 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723222626_dae44b16-40a5-4c9d-b49b-905be4f8a409): grant all on default.sample_08 to role writes
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723222626_dae44b16-40a5-4c9d-b49b-905be4f8a409); Time taken: 0.15 seconds
INFO : OK
No rows affected (0.296 seconds)
0: jdbc:hive2://hexindai-c12-127:10000/defaul> grant role writes to group inserter;
INFO : Compiling command(queryId=hive_20190723222727_89b88f6e-37bc-4838-a2db-8fba57565c6c): grant role writes to group inserter
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO : Completed compiling command(queryId=hive_20190723222727_89b88f6e-37bc-4838-a2db-8fba57565c6c); Time taken: 0.063 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723222727_89b88f6e-37bc-4838-a2db-8fba57565c6c): grant role writes to group inserter
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723222727_89b88f6e-37bc-4838-a2db-8fba57565c6c); Time taken: 0.012 seconds
INFO : OK
No rows affected (0.08 seconds)
0: jdbc:hive2://hexindai-c12-127:10000/defaul>
0: jdbc:hive2://hexindai-c12-127:10000/defaul>7、登陆KDC服务器,创建相应的测试用户
[root@hexindai-c12-127 ~]# kadmin.local
Authenticating as principal rabin/admin@HXD.COM with password.
kadmin.local:
kadmin.local: addprinc rabin
WARNING: no policy specified for rabin@HXD.COM; defaulting to no policy
Enter password for principal "rabin@HXD.COM":
Re-enter password for principal "rabin@HXD.COM":
add_principal: Principal or policy already exists while creating "rabin@HXD.COM".
kadmin.local:
kadmin.local:
kadmin.local: addprinc wtnyihg
WARNING: no policy specified for wtnyihg@HXD.COM; defaulting to no policy
Enter password for principal "wtnyihg@HXD.COM":
Re-enter password for principal "wtnyihg@HXD.COM":
Principal "wtnyihg@HXD.COM" created.
kadmin.local:
kadmin.local: xst -k /etc/security/rabin.keytab rabin
Entry for principal rabin with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/rabin.keytab.
Entry for principal rabin with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/rabin.keytab.
Entry for principal rabin with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/security/rabin.keytab.
Entry for principal rabin with kvno 3, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/rabin.keytab.
Entry for principal rabin with kvno 3, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/rabin.keytab.
Entry for principal rabin with kvno 3, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/rabin.keytab.
Entry for principal rabin with kvno 3, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/security/rabin.keytab.
Entry for principal rabin with kvno 3, encryption type des-cbc-md5 added to keytab WRFILE:/etc/security/rabin.keytab.
kadmin.local: xst -k /etc/security/wtnyihg.keytab wtnyihg
Entry for principal wtnyihg with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/wtnyihg.keytab.
Entry for principal wtnyihg with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/wtnyihg.keytab.
Entry for principal wtnyihg with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/security/wtnyihg.keytab.
Entry for principal wtnyihg with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/wtnyihg.keytab.
Entry for principal wtnyihg with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/wtnyihg.keytab.
Entry for principal wtnyihg with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/wtnyihg.keytab.
Entry for principal wtnyihg with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/security/wtnyihg.keytab.
Entry for principal wtnyihg with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/security/wtnyihg.keytab.
kadmin.local: quit
[root@hexindai-c12-127 ~]# ll /etc/security/*.keytab
-rw-------. 1 root root 930 Jul 23 22:40 /etc/security/rabin.keytab
-rw-------. 1 root root 482 Jul 23 22:41 /etc/security/wtnyihg.keytab
[root@hexindai-c12-127 ~]#
[root@hexindai-c12-127 ~]#
[root@hexindai-c12-127 ~]# scp /etc/security/*.keytab 172.20.102.125:/etc/security/
rabin.keytab 100% 930 1.6MB/s 00:00
wtnyihg.keytab 100% 482 1.4MB/s 00:00
[root@hexindai-c12-127 ~]#8、使用rabin用户测试
[root@hexindai-c12-125 ~]#
[root@hexindai-c12-125 ~]# ll /etc/security/*.keytab
-rw-------. 1 root root 930 Jul 23 22:43 /etc/security/rabin.keytab
-rw-------. 1 root root 482 Jul 23 22:43 /etc/security/wtnyihg.keytab
[root@hexindai-c12-125 ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@hexindai-c12-125 ~]#
[root@hexindai-c12-125 ~]# kinit -kt /etc/security/rabin.keytab rabin
[root@hexindai-c12-125 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rabin@HXD.COM
Valid starting Expires Service principal
07/23/2019 22:45:10 07/24/2019 22:45:04 krbtgt/HXD.COM@HXD.COM
[root@hexindai-c12-125 ~]# beeline
Beeline version 1.1.0-cdh5.15.1 by Apache Hive
beeline> !connect jdbc:hive2://hexindai-c12-127:10000/default;principal=hive/hexindai-c12-127@HXD.COM
scan complete in 1ms
Connecting to jdbc:hive2://hexindai-c12-127:10000/default;principal=hive/hexindai-c12-127@HXD.COM
Connected to: Apache Hive (version 1.1.0-cdh5.15.1)
Driver: Hive JDBC (version 1.1.0-cdh5.15.1)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://hexindai-c12-127:10000/defaul> show tables;
INFO : Compiling command(queryId=hive_20190723224646_43465229-9bd7-4a56-b0d5-1f7c13a45799): show tables
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:tab_name, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=hive_20190723224646_43465229-9bd7-4a56-b0d5-1f7c13a45799); Time taken: 0.154 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723224646_43465229-9bd7-4a56-b0d5-1f7c13a45799): show tables
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723224646_43465229-9bd7-4a56-b0d5-1f7c13a45799); Time taken: 0.535 seconds
INFO : OK
+-----------+--+
| tab_name |
+-----------+--+
+-----------+--+
No rows selected (0.757 seconds)
0: jdbc:hive2://hexindai-c12-127:10000/defaul> use default;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User rabin does not have privileges for SWITCHDATABASE
The required privileges: Server=server1->Db=*->Table=+->Column=*->action=select;Server=server1->Db=*->Table=+->Column=*->action=insert; (state=42000,code=40000)
0: jdbc:hive2://hexindai-c12-127:10000/defaul> !connect jdbc:hive2://hexindai-c12-127:10000;principal=hive/hexindai-c12-127@HXD.COM
Connecting to jdbc:hive2://hexindai-c12-127:10000;principal=hive/hexindai-c12-127@HXD.COM
Error: Bad URL format. Hostname not found in authority part of the url: hexindai-c12-127:10000;principal=hive. Are you missing a '/' after the hostname ? (state=,code=0)
0: jdbc:hive2://hexindai-c12-127:10000/defaul> !connect jdbc:hive2://hexindai-c12-127:10000/;principal=hive/hexindai-c12-127@HXD.COM
Connecting to jdbc:hive2://hexindai-c12-127:10000/;principal=hive/hexindai-c12-127@HXD.COM
Connected to: Apache Hive (version 1.1.0-cdh5.15.1)
Driver: Hive JDBC (version 1.1.0-cdh5.15.1)
Transaction isolation: TRANSACTION_REPEATABLE_READ
1: jdbc:hive2://hexindai-c12-127:10000/> show tables;
INFO : Compiling command(queryId=hive_20190723224747_86ac66c3-6abb-42f2-b7a1-87226a0e553c): show tables
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:tab_name, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=hive_20190723224747_86ac66c3-6abb-42f2-b7a1-87226a0e553c); Time taken: 0.083 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723224747_86ac66c3-6abb-42f2-b7a1-87226a0e553c): show tables
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723224747_86ac66c3-6abb-42f2-b7a1-87226a0e553c); Time taken: 0.377 seconds
INFO : OK
+-----------+--+
| tab_name |
+-----------+--+
+-----------+--+
No rows selected (0.458 seconds)
1: jdbc:hive2://hexindai-c12-127:10000/> show databases;
INFO : Compiling command(queryId=hive_20190723224747_a470768f-9af1-42e4-9d29-4b0ea4c08792): show databases
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=hive_20190723224747_a470768f-9af1-42e4-9d29-4b0ea4c08792); Time taken: 0.064 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=hive_20190723224747_a470768f-9af1-42e4-9d29-4b0ea4c08792): show databases
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=hive_20190723224747_a470768f-9af1-42e4-9d29-4b0ea4c08792); Time taken: 0.164 seconds
INFO : OK
+----------------+--+
| database_name |
+----------------+--+
| default |
+----------------+--+
1 row selected (0.231 seconds)
1: jdbc:hive2://hexindai-c12-127:10000/>
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
