Shulou(Shulou.com)06/02 Report--

This article mainly explains "how to use Sentry in Hue". The content in the article is simple and clear, easy to learn and understand. Please follow the editor's train of thought to study and learn "how to use Sentry in Hue".

1. Purpose of document writing

This document describes how to manage Sentry permissions through Hue, and you will learn the following:

1. How to create a user using Hue

two。 How to use Hue to authorize Super permissions for hive user groups

3. How to use Hue to verify authorization

The document is mainly divided into the following steps:

1. Create a test user using Hue

two。 Authorize the hive group as an administrator

3. Create roles and authorize authentication

4. Remarks

This document focuses on how to use Hue to manage Sentry permissions, based on the following assumptions:

The 1.CDH cluster is running normally

two。 Cluster has Kerberos enabled

3. The cluster has installed Sentry services and is integrated with HDFS/Hive/Impala/Hue services

The following is the test environment, but it is not the hard limit of this manual:

1. Operating system: CentOS 6.5

Version 5.12.1 for 2.CDH and CM

3. Use root users to operate

The administrator account of 4.Hue is admin.

two。 Create a user on Hue

Through the Hue administrator, the user hive/fayson_d/fayson_a/fayson_c/fayson_h,hive user belongs to the hive group, and the other users belong to the same group as the user name.

Note: make sure that the above users exist on all nodes in the cluster.

1. Log in to Hue using the admin user

two。 Enter user management and create groups for hive

Click "Add group" to save the newly created group

3. Create hive users (take the creation of hive users as an example)

3. Authorize the hive group as an administrator

1. Log in to Hue using the hive user

two。 Click the menu in the upper left corner of Hue to enter the Security interface

3. Create the administrator role admin and authorize it to the hive group

Click "Click here to add some" to the right of the image above.

Click Save to show the roles owned by server1

Click the refresh button to see if you have permission

Hive users can view all databases and tables under server1

4. Create roles and authorize authentication

4.1 Library level Authorization

Use the hive user to create a role dread with read-only (SELECT) permission to the default library, and grant it to the fayson_d user group, to which users have only SECLET permission but not INSERT permission for all tables under the default library.

Add roles and authorize

Click Save and view

4.2 Library Authorization Verification

Log in to Hue using the fayson_d user, and you can see all the tables under default

Hive verification

Select, count, and insert operations on the test table

Read-only permission, so the INSERT operation failed

Select, count, and insert operations on the test_hive_ delimiter table

Impala verification

Select, count, and insert operations on the test table

Select, count, and insert operations on the test_hive_ delimiter table

File Browser verification

Do not have limited access to the data directory of the fayson library under the / warehouse directory

The test table is an internal table and the data directory is / user/hive/warehouse/test

You can view the data file of the test table

The test_hive_delimiter table is an external table and the data directory is / fayson/test_hive_delimiter

You can view the data files in the / fayson/test_hive_delimiter directory

No right to edit data files

Conclusion: fayson_d users can use Hive/Impala to view all the tables under the default library, but do not have insert permission, insert the table failed. Corresponding to the HDFS directory, you can view all directory folders and view the contents of the files, but you cannot modify the contents of the files. It shows that Sentry realizes the synchronization of HDFS ACL.

4.3 Table-level authorization

Use hive users to create a role testall with ALL permissions on the test table under the default library, and authorize it to the fayson_a user group. All users under this user group can access the default.test tables SELECT and INSERT.

Create roles and authorize

Click Save and view

4.4 Table Authorization Verification

Log in to Hue using fayson_a, and you can see the test table under the default library

Hive verification

You can perform select, count and insert operations on test tables

Impala verification

You can perform select, count and insert operations on test tables

File Browser verification

You can browse the / user/hive/warehouse directory

You can view the data files in the / user/hive/warehouse/test directory

You can upload data files to the / user/hive/warehouse/test directory

Data files can be deleted

Conclusion: fayson_a users can use Hive/Impala to view tables under all default libraries and perform insert operations. Corresponding to the HDFS directory, you can view all directory folders, view the contents of files, and upload new files at the same time. It shows that Sentry realizes the synchronization of HDFS ACL.

4.5 column level Authorization

Use the hive user to create a role testcolumn with read-only (SELECT) permission on the S1 column of the test table, and authorize it to the fayson_c user. All users under this user group have only SELECT permissions on the S1 column of the test table.

Add roles and authorize

Click Save and view

4.6 column authorization verification

Log in to Hue using fayson_c, and you can see the test table under the default library

Hive verification

Select, count, and insert operations on the test table

Because only S1 columns have SELECT permission, you cannot view all columns (*)

You can only view columns with permissions

Only the count column

Unable to insert new data

Impala verification

Select, count, and insert operations on the test table

Because only S1 columns have SELECT permission, you cannot view all columns (*)

You can only view columns with permissions

Only the count column

Unable to insert new data

File Browser verification

No permission to access the / user/hive/warehouse/test directory

Conclusion: fayson_c users can only view the S1 column of the test table by using Hive/Impala, but cannot select * the whole table and cannot perform insert operations. Corresponding to the HDFS directory, the corresponding directory folder / file cannot be viewed, and new files cannot be uploaded. It shows that Sentry realizes the synchronization of HDFS ACL.

4.7HDFS URI authorization

Create a role using the hive user and authorize it to the fayson_h user group

Authorize the hdfsall role to have all permissions on the fayson library

The authorized hdfsall role has all (ALL) permissions on the HDFS directory / fayson_data/test_hive

All users under this user group have all operation rights to the fayson library and all permissions to the / fayson_data / test_hive directory. Creating external tables under the fayson library can only point to the / fayson_data / test_hive directory.

Create roles and authorize

Click Save to view the created roles

4.7HDFS URI Authorization Verification

Authorization verification

Use the fayson_h user to log in to Hue and you can see the fayson library

Create an external table under the fayson library and execute the following table creation statement

Create external table test_hive (id int, name string, address string) row format delimited fields terminated by', 'stored as textfile location' / fayson_data/test_hive'

Table created successfully

Delete the test_ hire table

Insert data into the test_hive table

Use the hive user to remove the authorization of hdfs and test again

Use the fayson_h user to create the table again under the fayson library, but the table creation failed.

File Browser verification

Access the fayson library data directory / user/hive/warehouse/fayson.db

Access external table data directory / fayson_data/test_hive

Cannot upload data files to external table data directory

No right to delete files under the external table data directory

Access the internal table data directory / user/hive/warehouse/fayson.db/test

You can upload data to the / user/hive/warehouse/fayson.db/test data directory

You can delete the data files in the / user/hive/warehouse/fayson.db/test directory

Test summary:

Fayson_h users have all the permissions on the fayson library. If you do not specify location in create table test_hive, the default data directory is / user/hive/warehouse/fayson.db/test_hive. If you create an external table such as create external table test_hivexxx location / fayson_data/test_hive, you cannot create a table without authorizing the ALL permission of the / fayson_data/test_hive directory to fayson_h,fayson_h.

Note: data cannot be inserted into an external table for the above tests.

5. Remarks

The above operations are performed using the Hue interface. Since Kerberos is enabled in the cluster, you need to create a Kerberos account for the above users to use the command line operation, otherwise it cannot be used normally on the command line.

Sentry's URI authorization is mainly used for non-hive users to authorize the HDFS data directory when creating external tables. An Sentry authorized URI can point to either the data directory of an external table or the parent directory of an external table data directory, and all subdirectories under the parent directory can be data directories of external tables.

Thank you for your reading, the above is the content of "how to use Sentry in Hue", after the study of this article, I believe you have a deeper understanding of how to use Sentry in Hue, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.