This website requires JavaScript.

Hadoop: Cloudera CDH 5.6.0 使用Kerberos及Sentry


1. Kerberos安装


Configuring Authentication in Cloudera Manager How-to: Quickly Configure Kerberos for Your Apache Hadoop Cluster Configuring Hadoop Security in CDH 5 Changing Hostnames Kerberos basics and installing a KDC Apache Sentry made easy with the new Hue Security App


xst -k hdfs.keytab hdfs@DATACENTER
kinit -k -t hdfs.keytab  hdfs@DATACENTER

2.Hive 权限配置

注意:如果不用kerberos 需要额外配置sentry.hive.testing.mode 参见Securing the Hive Metastore

hdfs dfs -chmod -R 771 /user/hive/warehouse hdfs dfs -chown -R hive:hive /user/hive/warehouse
官方Hive SQL配置权限文档 Hive SQL Syntax for Use with Sentry


kinit -k -t hive.keytab hive/xxx@DATACENTER
beeline -u "jdbc:hive2://xxx:10000/default;principal=hive/xxx@DATACENTER"
show roles
drop role datacenter
create role admin_role;
create role datacenter_role;
GRANT ALL ON SERVER server1 TO ROLE admin_role;
GRANT ROLE admin_role TO GROUP admin;

将数据库ubt数据库的select权限赋予 datacenter_role和datacenter组

REVOKE  ALL ON DATABASE ubt TO ROlE datacenter_role;

GRANT SELECT ON DATABASE ubt TO ROLE datacenter_role; GRANT ROLE datacenter_role TO GROUP datacenter;

**linux 端创建用户与组**
groupadd admin
useradd bihell -G admin

groupadd datacenter
useradd username -G datacenter  /  usermod -a -G datacenter 103382

3. 其他参考文档

配置安全的Hive集群集成Sentry Replace Hive CLI with Beeline on a cluster with Sentry Disabling Kerberos for CDH sentry服务后,几个权限问题