Sentry简介—Getting Started with Sentry in Hive
来源:互联网 发布:什么是seo是什么 编辑:程序博客网 时间:2024/05/16 17:31
Sentry简介—Getting Started with Sentry in Hive
Sentry uses a policy provider to define the access control to Hive. Sentry currently ships with a file-based policy provider, see below for an example. A single global policy file can be used to control access to an entire HiveServer2 instance, and multiple dependent per database policy files can be linked to the global one. Lets look at the structure of policy file with an example.
Global policy file:
[groups]
admin_group = admin_role
dep1_admin = uri_role
[roles]
admin_role = server=server1
uri_role = hdfs:///ha-nn-uri/data
[databases]
db1 = hdfs://ha-nn-uri/user/hive/sentry/db1.ini
Per db policy file: (at hdfs://ha-nn-uri/user/hive/sentry/db1.ini)
[groups]
dep1_admin = db1_admin_role
dep1_analyst = db1_read_role
[roles]
db1_admin_role = server=server1->db=db1
db1_read_role = server=server1->db=db1->table=*->action=select
As you can see above, there are usually three sections in the global policy file:
- A [groups] section that provides group-to-role mapping
- A [roles] section that provides role-to-privileges mapping
- A [databases] (optional) section that provides database-to-per-database policy file mapping. This allows for maintaining per-database privileges separately.
Sentry provides authorization through a hook in HiveServer2. When a user makes a connection to HiveServer2, it authenticates the connecting user and persists the user information for the session. For the subsequent operations that user performs, Sentry authorizes the operation by mapping the user to the groups he/she belongs to and determining whether the group(s) have necessary privileges on the relevant objects.
Hive security landscape with Sentry
Next, lets look at how Sentry fits into the security landscape of Hive. The below infographic shows how different authentication and authorization pieces fit together.
Here are the main points to take away:
- Sentry requires that HiveServer2 be configured to use strong authentication. HiveServer2 supports Kerberos as well as LDAP (and AD) authentication mechanisms.
- At the Sentry authorization level, there are two supported forms of user-group mappings:
- HadoopGroup mapping, which uses the underlying Hadoop groups
- Hadoop groups in turn support Shell-based mapping as well as LDAP group mapping. Please note that in case of Sentry with Hive, the mapping of users to groups is performed on the HiveServer2 host
- LocalGroups, where the users and groups can be defined locally in the policy file using [users] section (for testing purposes only)
- HadoopGroup mapping, which uses the underlying Hadoop groups
Demo
In this demo, we will be using Kerberos authentication for HiveServer2 with HadoopGroups as the Sentry group provider, which by default uses Shell mapping. We briefly go over Sentry and see how to configure and use it in this configuration. (Note: Cloudera Manager 4.7 and CDH 4.4 are shown here; for future versions, the steps will be similar.)
http://vimeo.com/79936560
- Sentry简介—Getting Started with Sentry in Hive
- Sentry简介
- Hive SQL Syntax for Use with Sentry
- sentry
- Sentry简介—Audit Log
- Sentry简介— Sentry Client Connection Pool Configuration
- apache hive + sentry测试
- Impala和Hive集成Sentry
- Hue、Hive、Sentry、Airflow、Oozie
- sentry简介--architecture and Components
- 【读书】《Getting Started with OAuth2.0》1——简介
- Getting started with SQLite in C#
- Getting Started with CGI Programming in C
- Getting Started with C++ in Visual Studio
- 关于hadoop,hive,sentry版本问题
- 关于Sentry
- Sentry Robots
- sentry配置
- 微信支付:curl出错,错误码:60
- Linux驱动开发常用调试工具---之内存读写工具devmem
- unity3d ngui 笔记4
- mysql 删除重复数据
- laravel 安装配置使用redis
- Sentry简介—Getting Started with Sentry in Hive
- 牛客算法-第一章
- Java程序员们最常犯的10个错误
- 【回味C】基本概念
- Azkaban-开源任务调度程序(安装篇)
- Linux查看物理CPU个数、核数、逻辑CPU个数(分色排版)
- Python基础-高阶函数-filter()
- 理解Object.assign
- Struts之使用拦截器实现的登录权限的控制