信息安全从业人员^_^
一个未入门de情报学胖子(邮箱:tenghm1986@163.com)
Toggle navigation
信息安全从业人员^_^
主页
About Me
归档
标签
hive权限
2019-09-23 11:14:18
492
0
0
heming
# 0.参考 [1] [Ambari+Hive+HDFS权限认证配置](https://blog.csdn.net/yrg5101/article/details/88837468) [2] [LanguageManual Authorization](https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization) # 1. Use cases 两种主要应用场景: - 1.Hive as a table storage layer - this is the use case for HIVE's HCatalog API users - these users `have direct access` to `HDFS` and the `metastore` server - HDFS access is authorized through the use of HDFS permissions - metadata access needs to be authorized using Hive configuration --- HCatalog is a table and storage management layer for hadoop that enables users with different data processing tools--Pig MapReduce --- - 2.Hive as a SQL query engine - the most common use cases of Hive.(Hive view of SQL user and BI tools) - two subcategories: - **a**.Hive command line uses(example:hive cli,这种已经过时),these users have `direct access` to `HDFS` and the `Hive metastore` - **b**.ODBC/JDBC and other HiveServer2 API users(example:Beeline) - these users `have` all `data` and `metadata` access happening through HiveServer2.they `don't have` direct access to `HDFS or the metastore` # 2. overview of Authorization Modes ## 2.1 Storage Based Authorization in the metastore server - case 1 and 2a,the users have direct access to the data.`Hive configuration don't control the data access.` - the HDFS permissions act as one source of truth for the table storage access - 配置 [Storage Based Authorization in the Metastore Server](https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server) - 为了控制metadata access on databses,Tables,and Partitions,比如对应的文件目录有访问权限 - 为了满足2b情况,`the queries run as the end user`(`hive.server2.enable.doAs` option should be `true` in HiveServer2 configuration) ## 2.2 SQL Standards Based Authorization in HiveServer2 虽然基于storage based Authorization 可以提供基于database/Tables/partions访问权限,但SQL Standards Based Authorization 可以提供更精细的访问控制,比如数据库的列与视图,这是因为storaged Based Authorization是基于文件系统的目录 [SQL Standards Based Authorization](https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization) needs to be enabled through HiveServer2 configuration 2a情况因为用户可以直接访问HDFS and metastore,可以直接绕过SQL Standards Based Authorization ## 2.3 Authorization using Apache Ranger & Sentry [Apache Ranger](http://ranger.apache.org/) and [Apache Sentry](https://sentry.apache.org/) use `plugins` provided by hive to do authorization Ranger has dynamic row and column level access control(include `column masking`脱敏) based on runtime attributes ## 2.4 old default Hive Authorization(Legacy Mode) before Hive 2.0.0,Hive old default Authorization was default. 并不是完全访问控制,留下许多安全隐患 与SQL Standards Based Authorization很相似,都是grant/revoke,但它们不兼容 # 3.Storage Based Authorization in the Metastore Server ## 3.1 the need for metastore server security 很多客户端可以进入metastore的后台数据库,但这些连接凭证可以通过hive-site.xml获得,黑客或者不能胜任的用户可能对metadata造成严重的问题,虽然the uderlying data is protected by HDFS access controls thrift访问metadata storage,也不能保证安全 ## 3.2 Storage Based Authorization uses the file system permissions for folders.Use of Storage based Authorization in metastore is recommended. starting in Hive 0.14,storage based authorization authorizes read privilege on database and tables. ## 3.3 Configuration Parameters for Metastore Security |key|value|comments| |:--|:--|:--| |hive.metastore.pre.event.listeners|org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener|turn on metastore-side security| |hive.security.metastore.authorization.manager|org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider|which metastore-side authorization provider to use.default:DefaultHiveMetastoreAuthorizationProvider,which implements the standard Hive grant/revoke model,为了使用HDFS权限模型做认证,建议使用`StorageBasedAuthorizationProvider`| |hive.security.metastore.authenticator.manager|org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator|| |org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator|true|hive metastore authorization also checks for read access| # 4.SQL Standard Based Hive Authorization ## 4.1 status of hive authorization before hive 0.13 legacy authorization 不是为了防止恶意使用者,而且grant statement并不支持许多操作的授权,而且授权check是在`compilation`阶段(sql compilation),客户端的检查可以by pass,去执行dfs command,udf and shell commands. `storage` based `authorization`,commonly used to add authorization to `metadstore server API` 可以用于客户端的安全检查,可以防止恶意用户,精细控制不够(行列权限) ## 4.2 SQL Standard Based Hive Authorization(New in Hive 0.13) 可以与storage based authorization配合一起使用 on the metastore server. under this authorization model,user who have access to the Hive CLI,HDFS commands,pig command line,'hadoop jar' command are considered priviledged users. most users such as business analysts tend to use SQL and ODBC/JDBC through HiveServer2 and their access can be controlled using this authorization model. ## 4.3 Restrictions on Hive Commands and Statements. - commands such as dfs,add,delete,compile and reset are disabled when this authorization is enabled. - add/drop functions and macros are restricted to the `admin` role - admin role can run commands to create these functions,which all users can then use. - SQL Standard Based Authorization Disallows TRANSFORM ``` FROM ( FROM pv_users MAP pv_users.userid, pv_users.date USING 'map_script' AS dt, uid CLUSTER BY dt) map_output INSERT OVERWRITE TABLE pv_users_reduced REDUCE map_output.dt, map_output.uid USING 'reduce_script' AS date, count; FROM ( FROM pv_users SELECT TRANSFORM(pv_users.userid, pv_users.date) USING 'map_script' AS dt, uid CLUSTER BY dt) map_output INSERT OVERWRITE TABLE pv_users_reduced SELECT TRANSFORM(map_output.dt, map_output.uid) USING 'reduce_script' AS date, count; ```
上一篇:
通过CM搭建CDH集群
下一篇:
kerberos学习
0
赞
492 人读过
新浪微博
微信
腾讯微博
QQ空间
人人网
Please enable JavaScript to view the
comments powered by Disqus.
comments powered by
Disqus
文档导航
heming
信息安全从业人员^_^