Hadoop: Cloudera CDH 5.6.0 使用Kerberos及Sentry
Hadoop
2020-01-15
429
0
本人的Kerberos和Sentry使用笔记
1. Kerberos安装
根据以下地址的文章就可以安装配置啦.
Configuring Authentication in Cloudera Manager How-to: Quickly Configure Kerberos for Your Apache Hadoop Cluster Configuring Hadoop Security in CDH 5 Changing Hostnames Kerberos basics and installing a KDC Apache Sentry made easy with the new Hue Security App
生成keytab
xst -k hdfs.keytab hdfs@DATACENTER**使用keytab**
kinit -k -t hdfs.keytab hdfs@DATACENTER
2.Hive 权限配置
注意:如果不用kerberos 需要额外配置sentry.hive.testing.mode 参见Securing the Hive Metastore
hdfs dfs -chmod -R 771 /user/hive/warehouse hdfs dfs -chown -R hive:hive /user/hive/warehouse官方Hive SQL配置权限文档 Hive SQL Syntax for Use with Sentry
获取ticket
kinit -k -t hive.keytab hive/xxx@DATACENTER**连接beeline**
beeline -u "jdbc:hive2://xxx:10000/default;principal=hive/xxx@DATACENTER"**显示Role**
show roles**删除Role**
drop role datacenter**创建Role**
create role admin_role; create role datacenter_role;**将服务器所有权限都赋予admin_role,并给予admin组**
GRANT ALL ON SERVER server1 TO ROLE admin_role;
GRANT ROLE admin_role TO GROUP admin;
将数据库ubt数据库的select权限赋予 datacenter_role和datacenter组
REVOKE ALL ON DATABASE ubt TO ROlE datacenter_role;**linux 端创建用户与组**GRANT SELECT ON DATABASE ubt TO ROLE datacenter_role; GRANT ROLE datacenter_role TO GROUP datacenter;
groupadd admin useradd bihell -G admin groupadd datacenter useradd username -G datacenter / usermod -a -G datacenter 103382
3. 其他参考文档
配置安全的Hive集群集成Sentry Replace Hive CLI with Beeline on a cluster with Sentry Disabling Kerberos for CDH sentry服务后,几个权限问题