他的最新文章
他的热门文章
您举报文章:
举报原因:
原文地址:
原因补充:
(最多只允许输入30个字)To read this documentation, you must turn JavaScript on.
Configuring the Sentry Service
This topic describes how to enable the Sentry service for Hive and Impala, and configuring the Hive metastore to communicate with the service.
Enabling the Sentry Service Using Cloudera Manager
Minimum Required Role:
(also provided by Cluster Administrator, Full Administrator)
Before Enabling the Sentry Service
Ensure you satisfy all the
for the Sentry service.
The Hive warehouse directory (/user/hive/warehouse or any path you specify as hive.metastore.warehouse.dir in your hive-site.xml) must be owned by the Hive user and group.
Permissions on the warehouse directory must be set as follows (see following Note for caveats):
771 on the directory itself (for example, /user/hive/warehouse)
771 on all subdirectories (for example, /user/hive/warehouse/mysubdir)
All files and subdirectories should be owned by hive:hive
For example:
$ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse
$ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
If you set hive.warehouse.subdir.inherit.perms to true in hive-site.xml, the permissions
on the subdirectories will be set when you set permissions on the warehouse directory itself.
If a user has access to any object in the warehouse, that user will be able to execute use default. This ensures that use default commands issued by legacy applications work when Sentry is enabled.
Important: These instructions override the recommendations in the Hive section of the CDH 5 Installation Guide.
Disable impersonation for HiveServer2 in the Cloudera Manager Admin Console:
Go to the Hive service.
Click the Configuration tab.
Select Scope & HiveServer2.
Select Category & Main.
Uncheck the HiveServer2 Enable Impersonation checkbox.
Click Save Changes to commit the changes.
If you are using MapReduce, enable the Hive user to submit MapReduce jobs.
Open the Cloudera Manager Admin Console and go to the MapReduce service.
Click the Configuration tab.
Select Scope & TaskTracker.
Select Category & Security.
Set the Minimum User ID for Job Submission property to zero (the default is 1000).
Click Save Changes to commit the changes.
Repeat steps 1-6 for every TaskTracker role group for the MapReduce service that is associated with Hive, if more than one exists.
Restart the MapReduce service.
If you are using YARN, enable the Hive user to submit YARN jobs.
Open the Cloudera Manager Admin Console and go to the YARN service.
Click the Configuration tab.
Select Scope & NodeManager.
Select Category & Security.
Ensure the Allowed System Users property includes the hive user. If not, add hive.
Click Save Changes to commit the changes.
Repeat steps 1-6 for every NodeManager role group for the YARN service that is associated with Hive, if more than one exists.
Restart the YARN service.
Important: Ensure you have unchecked the Enable Sentry Authorization using Policy Files configuration property
for both Hive and Impala under the Policy File Based Sentry category before you proceed.
Enabling the Sentry Service for Hive
Go to the Hive service.
Click the Configuration tab.
Select Scope & Hive (Service-Wide).
Select Category & Main.
Locate the Sentry Service property and select Sentry.
Click Save Changes to commit the changes.
Restart the Hive service.
Enabling Sentry on Hive service places several HiveServer2 properties on a restricted list properties that cannot be modified at runtime by clients. See .
Enabling the Sentry Service for Impala
Enable the Sentry service for Hive (as instructed above).
Go to the Impala service.
Click the Configuration tab.
Select Scope & Impala (Service-Wide).
Select Category & Main.
Locate the Sentry Service property and select Sentry.
Click Save Changes to commit the changes.
Restart Impala.
Enabling the Sentry Service for Hue
To interact with Sentry using Hue, enable the Sentry service as follows:
Enable the Sentry service for Hive and Impala (as instructed above).
Go to the Hue service.
Click the Configuration tab.
Select Scope & Hue (Service-Wide).
Select Category & Main.
Locate the Sentry Service property and select Sentry.
Click Save Changes to commit the changes.
Restart Hue.
Enabling the Sentry Service Using the Command Line
Important:
If you use Cloudera Manager, do not use these command-line instructions.
This information applies specifically to CDH 5.4.x. If you use an earlier version of CDH, see the documentation
for that version located at .
Before Enabling the Sentry Service
The Hive warehouse directory (/user/hive/warehouse or any path you specify as hive.metastore.warehouse.dir in your hive-site.xml) must be owned by the Hive user and group.
Permissions on the warehouse directory must be set as follows (see following Note for caveats):
771 on the directory itself (for example, /user/hive/warehouse)
771 on all subdirectories (for example, /user/hive/warehouse/mysubdir)
All files and subdirectories should be owned by hive:hive
For example:
$ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse
$ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
If you set hive.warehouse.subdir.inherit.perms to true in hive-site.xml, the permissions
on the subdirectories will be set when you set permissions on the warehouse directory itself.
If a user has access to any object in the warehouse, that user will be able to execute use default. This ensures that use default commands issued by legacy applications work when Sentry is enabled.
Important: These instructions override the recommendations in the Hive section of the CDH 5 Installation Guide.
HiveServer2 impersonation must be turned off.
If you are using MapReduce, you must enable the Hive user to submit MapReduce jobs. You can ensure that this is true by setting the minimum user ID for job submission to 0. Edit the
taskcontroller.cfg file and set min.user.id=0.
If you are using YARN, you must enable the Hive user to submit YARN jobs, add the user hive to the allowed.system.users
configuration property. Edit the container-executor.cfg file and add hive to the allowed.system.users
property. For example,
allowed.system.users = nobody,impala,hive
Important: You must restart the cluster and HiveServer2 after changing these values.
Configuring HiveServer2 for the Sentry Service
Add the following properties to hive-site.xml to allow the Hive service to communicate with the Sentry service.
&property&
&name&hive.security.authorization.task.factory&/name&
&value&org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl&/value&
&/property&
&property&
&name&hive.server2.session.hook&/name&
&value&org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook&/value&
&/property&
&property&
&name&hive.sentry.conf.url&/name&
&value&file:///{{PATH/TO/DIR}}/sentry-site.xml&/value&
&/property&
&property&
&name&hive.security.authorization.task.factory&/name&
&value&org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl&/value&
&/property&
Enabling Sentry on Hive service places several HiveServer2 properties on a restricted list properties that cannot be modified at runtime by clients. See .
Configuring the Hive Metastore for the Sentry Service
Add the following properties to hive-site.xml to allow the Hive metastore to communicate with the Sentry service.
&property&
&name&hive.metastore.filter.hook&/name&
&value&org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook&/value&
&/property&
&property&
&name&hive.metastore.pre.event.listeners&/name&
&value&org.apache.sentry.binding.metastore.MetastoreAuthzBinding&/value&
&description&list of comma separated listeners for metastore events.&/description&
&/property&
&property&
&name&hive.metastore.event.listeners&/name&
&value&org.apache.sentry.binding.metastore.SentryMetastorePostEventListener&/value&
&description&list of comma separated listeners for metastore, post events.&/description&
&/property&
Configuring Impala as a Client for the Sentry Service
Set the following configuration properties in sentry-site.xml.
&property&
&name&sentry.service.client.server.rpc-port&/name&
&value&3893&/value&
&/property&
&property&
&name&sentry.service.client.server.rpc-address&/name&
&value&hostname&/value&
&/property&
&property&
&name&sentry.service.client.server.rpc-connection-timeout&/name&
&value&200000&/value&
&/property&
&property&
&name&sentry.service.security.mode&/name&
&value&none&/value&
&/property&
You must also add the following configuration properties to Impala's /etc/default/impala file. For more information , see .
On the catalogd and the impalad.
--sentry_config=&absolute path to sentry service configuration file&
On the impalad.
--server_name=&server name&
If the --authorization_policy_file flag is set, Impala will use the policy file-based approach. Otherwise, the database-backed approach will be used to implement
authorization.
HiveServer2 Restricted Properties
Enabling Sentry on Hive service places several HiveServer2 properties on a restricted list properties that cannot be modified
at runtime by clients. This list is denoted by the hive.conf.restricted.list property and these properties are only configurable on the server side. The list
hive.enable.spark.execution.engine
hive.semantic.analyzer.hook
hive.exec.pre.hooks
hive.exec.scratchdir
hive.exec.local.scratchdir
hive.metastore.uris,
javax.jdo.option.ConnectionURL
hadoop.bin.path
hive.session.id
hive.aux.jars.path
hive.stats.dbconnectionstring
hive.scratch.dir.permission
hive.security.command.whitelist
hive.security.authorization.task.factory
hive.entity.capture.transform
hive.access.conf.url
hive.sentry.conf.url
hive.access.subject.name
hive.sentry.subject.name
hive.sentry.active.role.set
Configuring Pig and HCatalog for the Sentry Service
Once you have the Sentry service up and running, and Hive has been configured to use the Sentry service, there are some configuration changes you must make to your cluster to allow Pig,
MapReduce (using HCatLoader, HCatStorer) and WebHCat queries to access Sentry-secured data stored in Hive.
Since the Hive warehouse directory is owned by hive:hive, with its permissions set to 771,
with these settings, other user requests such as commands coming through Pig jobs, WebHCat queries, and MapReduce jobs, may fail. To give these users access, perform the following configuration
Use HDFS ACLs to define permissions on a specific directory or file of HDFS. This directory/file is generally mapped to a database, table, partition, or a data file.
Users running these jobs should have the required permissions in Sentry to add new metadata or read metadata from the Hive Metastore Server. For instructions on how to set up the
required permissions, see . You can use HiveServer2's command line interface, Beeline to update the
Sentry database with the user privileges.
A user who is using Pig HCatLoader will require read permissions on a specific table or partition. In such a case, you can GRANT read access to the user
in Sentry and set the ACL to read and execute, on the file being accessed.
A user who is using Pig HCatStorer will require ALL permissions on a specific table. In this case, you GRANT ALL access to the user in Sentry and set the
ACL to write and execute, on the table being used.
Securing the Hive Metastore
It's important that the Hive metastore be secured. If you want to override the Kerberos prerequisite for the Hive metastore, set the sentry.hive.testing.mode property to true to allow Sentry to work with weaker authentication mechanisms. Add the following property to the
HiveServer2 and Hive metastore's sentry-site.xml:
&property&
&name&sentry.hive.testing.mode&/name&
&value&true&/value&
&/property&
Impala does not require this flag to be set.
Warning: Cloudera strongly recommends against enabling this property in production. Use Sentry's testing mode only in test environments.
You canturn on Hive metastore security using the instructions in . To secure the H see .
Using User-Defined Functions with HiveServer2
The ADD JAR command does not work with HiveServer2 and the Beeline client when Beeline runs on a different host. As an alternative
to ADD JAR, Hive's auxiliary paths functionality should be used. There are some differences in the procedures for creating permanent functions and
temporary functions when Sentry is enabled. For detailed instructions, see:
(C) 2018 Cloudera, Inc. All rights reserved.
and associated open source project names are trademarks of the . For a complete list of trademarks,
Page generated February&5,&2018.Cloudera CommunityTo read this documentation, you must turn JavaScript on.
Apache Sentry Overview
Apache Sentry is a granular, role-based authorization module for Hadoop. Sentry provides the ability to control and enforce precise levels of privileges on data for authenticated users
and applications on a Hadoop cluster. Sentry currently works out of the box with Apache Hive, Hive Metastore/HCatalog, Apache Solr, Impala, and HDFS (limited to Hive table data).
Sentry is designed to be a pluggable authorization engine for Hadoop components. It allows you to define authorization rules to validate a user or application’s access requests for
Hadoop resources. Sentry is highly modular and can support authorization for a wide variety of data models in Hadoop.
For more information, see .
(C) 2018 Cloudera, Inc. All rights reserved.
and associated open source project names are trademarks of the . For a complete list of trademarks,
Page generated February&11,&2018.为什么 Cloudera 要创建 Hadoop 安全组件 Sentry_百度知道
为什么 Cloudera 要创建 Hadoop 安全组件 Sentry
我有更好的答案
htm" target="_blank">http://www,请点击右侧【采纳答案】。详细可参考.linuxidc.com/Linux/855:<a href="http.htm如若满意.linuxidc.com/Linux/855://www您好,很高兴为您解答
采纳率:91%
来自团队:
为您推荐:
其他类似问题
hadoop的相关知识
换一换
回答问题,赢新手礼包
个人、企业类
违法有害信息,请在下方选择后提交
色情、暴力
我们会通过消息、邮箱等方式尽快将举报结果通知您。
