hive有两种类型的权限控制方式:
一。通过Hcatcalog API访问hive数据的方式,实际是通过访问metastore元数据的形式访问hive数据,这类有MapReduce,impala,pig,Spark SQL,hive Command line等方式,基于这种方式的权限控制称为:Storage Based Authorization in the Metastore Server。
二。通过hiveserver2的方式访问hive数据,基于这种方式的权限控制称之为:SQL Standards Based Authorization in HiveServer2
第一种方式的权限控制其实通过控制用户在HDFS上的权限来实现的,需要借助hdfs的命令setfacl,实现此种方式需要在hive中配置以下配置项:
<property>
<name>hive.security.metastore.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider</value>
<description>authorization manager class name to be used in the metastore for authorization.
The user defined authorization class should implement interface
org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider.
</description>
</property>
<property>
<name>hive.security.metastore.authenticator.manager</name>
<value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
<description>authenticator manager class name to be used in the metastore for authentication.
The user defined authenticator should implement interface
org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider.
</description>
</property>
<property>
<name>hive.metastore.pre.event.listeners</name>
<value> </value>
<description>pre-event listener classes to be loaded on the metastore side to run code
whenever databases, tables, and partitions are created, altered, or dropped.
Set to org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener
if metastore-side authorization is desired.
</description>
</property>而后使用setfacl为用户在hive数仓路径分配权限,例如:
#授予test对warehouse文件夹rwx权限
hadoop fs -setfacl -m user:test:rwx /user/hive/warehouse
#授予hivegrp对warehouse文件夹rwx权限
hadoo fs -setfacl -m group:hivegrp:rwx /user/hive/warehouse
第二种方式也需要修改hive-site.xml配置文件:
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
</property>
<property>
<name>hive.security.authorization.task.factory</name>
<value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
</property>
<property>
<name>hive.users.in.admin.role</name>
<value>hdfs</value>
</property>
然后进入hive CLI通过grant命令对
表、视图、列、分区
进行权限控制,需要注意的是create role及drop role等命令是需要admin role才有权限执行的,因此在配置中给hdfs用户以admin role,切换到hdfs用户下进入hive CLI执行grant命令即可。
通过Hue控制Hive访问权限可查看
这里
。
官网地址:
https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization