Manage Hive user rights
From the remote Hive deployment and mysql metadata table dictionary, it is clear that Hive manages user permissions through information stored in metadata. The focus now is on how Hive manages user permissions. Mysql > create user; mysql > create user; mysql > create user; Before answering this question, learn about the Permission management mechanism of Hive.
Hive user groups and users Are Linux user groups and users. Like Hadoop, Hive does not provide user group and user management but only permission control.
1. Configure hive-site. XML
<property> <name>hive.users.in.admin.role</name> <value>root</value> <description> Defines that the super administrator will automatically create Comma Separated List when started of users who arein admin role for bootstrapping.
More users can be added in ADMIN role later.</description>
</property>
<property>
<name>hive.metastore.authorization.storage.checks</name>
<value>true</value>
</property>
<property>
<name>hive.metastore.execute.setugi</name>
<value>false</value>
</property>
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value> <description> Enable permissionenable or disablethehive client authorization</description> </property> <property> < name > hive. Security. Authorization. Createtable. Owner. The grants < / name > < value > ALL < value > / < description > table creators have ALL permissions to the the table privileges automaticallygranted to the owner whenever a table gets created. An example like"select,drop"will grant select and drop privilege to the owner ofthe table</description> </property> <property> <name>hive.security.authorization.task.factory</name> < value > org. Apache. Hadoop. Hive. Ql. Parse. Authorization. HiveAuthorizationTaskFactoryImpl < value > / < description > configuration for access control. </description> </property> <property> <name>hive.semantic.analyzer.hook</name> <value>com.hive.HiveAdmin</value> <description> Use the hook program to identify the super administrator for authorization control. </description> </property> <property> <name>hive.users.in.admin.role</name> <value>root</value> <description> The specified user is the admin role, multiple users use Comma separated list of users who arein admin role for bootstrapping.
More users can be added in ADMIN role later.</description>
</property>
Copy the code1. Customize Hive permission management
The Hive administrator must be root, admin, and Hive.
package com.hive; import org.apache.hadoop.hive.ql.parse.ASTNode; import org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook; import org.apache.hadoop.hive.ql.parse.HiveParser; import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext; import org.apache.hadoop.hive.ql.parse.SemanticException; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.hive.ql.security; /** ** Created by Ganymede on 2016/10/4. Ordinary users cannot authorized, library building, built table operations such as * * / public class HiveAdmin extends AbstractSemanticAnalyzerHook {private static String [] admin = {"root"."hadoop"."hive"}; / / configuration Hive administrator @ Override public ASTNode preAnalyze (HiveSemanticAnalyzerHookContext context, ASTNode ast) throws SemanticException { switch (ast.getToken().getType()) {case HiveParser.TOK_CREATEDATABASE:
case HiveParser.TOK_DROPDATABASE:
case HiveParser.TOK_CREATEROLE:
case HiveParser.TOK_DROPROLE:
case HiveParser.TOK_GRANT:
case HiveParser.TOK_REVOKE:
case HiveParser.TOK_GRANT_ROLE:
case HiveParser.TOK_REVOKE_ROLE:
case HiveParser.TOK_CREATETABLE:
String userName = null;
if(SessionState.get() ! = null && SessionState.get().getAuthenticator() ! = null) { userName = SessionState.get().getAuthenticator().getUserName(); }if(! admin[0].equalsIgnoreCase(userName) && ! admin[1].equalsIgnoreCase(userName) && ! admin[2].equalsIgnoreCase(userName)) { throw new SemanticException(userName +" can't use ADMIN options, except " + admin[0] + "," + admin[1] + ","
+ admin[2] + ".");
}
break;
default:
break;
}
return ast;
}
public static void main(String[] args) throws SemanticException {
String[] admin = {"admin"."root"};
String userName = "root1";
for (String tmp : admin) {
System.out.println(tmp);
if(! admin[0].equalsIgnoreCase(userName) && ! admin[1].equalsIgnoreCase(userName)) { throw new SemanticException(userName +" can't use ADMIN options, except " + admin[0] + ","
+ admin[1] + "."); }}}}Copy the code2. Package and upload hive files related to JAR configurations
The environment needs to be prepared before packaging. I packaged it directly on the server
Start by placing the jar packages you rely on in the above code in the $HADOOP_HOME/lib folder
Cp/home/hadoop/hadoop3.1 / share/hadoop/common/hadoop - common - 3.0.2. Jar/home/hive/hive3.1 / libCopy the codeStart packing
javac -Djava.ext.dirs="/ home/hive/hive3.1 / lib" HiveAdmin.java -d .
jar cf hive-admin.jar com
Copy the hive-admin.jar package to libCp hive - admin. Jar/home/hive/hive3.1 / libCopy the code3. Restart hive services
hive --service metastore > metastore.log 2>&1 &
hive --service hiveserver2 > hiveserver2.log 2>&1 &
Copy the codeHere are some commands for assigning permissions:
A user can have multiple user groups. The SET ROLE command will switch the current user to the specified ROLE group.setrole ADMIN; Create role role_name; drop role role_name; Grant select on database zfs_test to role zfs_role; grant select on database zfs_test to role zfs_role; grant select on [table] employee to role user1_1; Show grant role role_name on database db_name; show grant role role_name on [table] t_name; Grant role role_name to user user_name revoke SELECT ON database db_name from role role_name; revoke select on [table] t_name from role role_name; Show role grant user user_name; Show role grant user user1_1; Show grant -- Show grant -- Show grant role zfs_role; CREATE ROLE ROLE_NAME Delete a ROLE: DROP ROLE ROLE_NAME Grant ROLE role_test1 to user jayliu. To view the authorized ROLE of user jayliu, run the SHOW ROLE GRANT user jayliu command. To cancel the role_test1 role of user jayliu, run the following command: revoke role role_test1 from user jayliu; Give all permissions on a library to a role, and the role to the user! grant all on database user_lisi to role role_lisi; grant role role_lisi to user lisi; Give permission to a library directly to the user! grant ALL ON DATABASE USER_LISI TO USER lisi; Revoke ALLondatabase default from user lisi; Show grant user lisi on database user_lisi;Copy the codeHIVE supports the following permissions:
| Permission to name | meaning |
|---|---|
| ALL | All permissions |
| ALTER | Allows you to modify metadata data of object – table information data |
| UPDATE | Allows to modify physical data of object – actual data |
| CREATE | The Create operation is allowed |
| DROP | The DROP operation is allowed |
| INDEX | Allows index building (not yet implemented) |
| LOCK | LOCK and UNLOCK operations are allowed when concurrent use occurs |
| SELECT | Allows users to perform SELECT operations |
| SHOW_DATABASE | Allows users to view available databases |
View permissions:
SHOW GRANT principal_specification [ON object_type priv_level [(column_list)]]
Relationship between HIVE operations and permissions
As of the release of Hive 0.7, only these operations require permissions, according to org.apache.hadoop.hive.ql.plan.HiveOperation:
| Operation | ALTER | UPDATE | CREATE | DROP | INDEX | LOCK | SELECT | SHOW_DATABASE |
|---|---|---|---|---|---|---|---|---|
| LOAD | Square root | |||||||
| EXPORT | Square root | |||||||
| IMPORT | Square root | Square root | ||||||
| CREATE TABLE | Square root | |||||||
| CREATE TABLE AS SELECT | Square root | Square root | ||||||
| DROP TABLE | Square root | |||||||
| SELECT | Square root | |||||||
| ALTER TABLE ADD COLUMN | Square root | |||||||
| ALTER TABLE REPLACE COLUMN | Square root | |||||||
| ALTER TABLE RENAME | Square root | |||||||
| ALTER TABLE ADD PARTITION | Square root | |||||||
| ALTER TABLE DROP PARTITION | Square root | |||||||
| ALTER TABLE ARCHIVE | Square root | |||||||
| ALTER TABLE UNARCHIVE | Square root | |||||||
| ALTER TABLE SET PROPERTIES | Square root | |||||||
| ALTER TABLE SET SERDE | Square root | |||||||
| ALTER TABLE SET SERDEPROPERTIES | Square root | |||||||
| ALTER TABLE CLUSTER BY | Square root | |||||||
| ALTER TABLE PROTECT MODE | Square root | |||||||
| ALTER PARTITION PROTECT MODE | Square root | |||||||
| ALTER TABLE SET FILEFORMAT | Square root | |||||||
| ALTER TABLE SET LOCATION | Square root | |||||||
| ALTER PARTITION SET LOCATION | Square root | |||||||
| ALTER TABLE CONCATENATE | Square root | |||||||
| ALTER PARTITION CONCATENATE | Square root | |||||||
| SHOW DATABASE | Square root | |||||||
| LOCK TABLE | Square root | |||||||
| UNLOCK TABLE | Square root |
Automatically authorize
Attribute hive. Security. Authorization. Createtable. Owner. The grants
The permissions that the builder has on a table, including select and drop in the case of a version
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>select,drop</value>
</property>
Copy the codeSimilarly, specific users can be granted privileges automatically when a table is created.
<property> <name>hive.security.authorization.createtable.user.grants</name> <value>admin,hive:select; user1:create</value> </property>Copy the codeWhen the table is created, administrator Admin1 and user Edward grant permission to read all tables.
User1 can only create tables.
The same configuration applies to group authorization and role authorization
hive.security.authorization.createtable.group.grants
hive.security.authorization.createtable.role.grants
Copy the code