In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)05/31 Report--
This article mainly introduces "how to use Hadoop Sentry". In daily operation, I believe many people have doubts about how to use Hadoop Sentry. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts about "how to use Hadoop Sentry". Next, please follow the editor to study!
What is Sentry?
Sentry is an open source Hadoop component released by Cloudera, which provides fine-grained role-based security control.
Data access and Authorization under Sentry
Through the introduction of Sentry,Hadoop, the RBAC (role-based acess control) needs of business and government users can now be met in the following areas:
Security authorization: Sentry can control data access and provide data access privileges to authenticated users.
Fine-grained access control: Sentry supports fine-grained Hadoop data and metadata access control. In the initial release of Sentry in Hive and Impala, Sentry provided different levels of privileged access control across the server, database, table, and view scope, including lookups, inserts, and so on-- allowing administrators to use views to restrict access to rows or columns. Administrators can also mask data within files as needed through Sentry and views or UDF with select statements.
Role-based management: Sentry simplifies management through role-based authorization, and you can easily grant different privilege levels of access to the same dataset to multiple groups. For example, for a particular dataset, you can assign the anti-fraud team the privilege to view all columns, the analyst to view insensitive or non-PII (personally identifiable information) columns, and the right to insert new data into the HDFS for the data receiving stream.
Multi-tenant management: Sentry allows you to set permissions for different datasets delegated to different administrators. In the case of Hive/Impala, Sentry can manage permissions at the database / schema level.
Unified platform: Sentry provides a unified platform to ensure data security, using the existing Hadoop Kerberos to achieve security authentication. At the same time, the same Sentry protocol can be used when accessing data through Hive or Impala. In the future, the Sentry protocol will be extended to other components.
Sentry architecture
The figure shows the basic architecture of Sentry, and Sentry currently supports Hive (with HiveServer2's thrift-based RPC interface) and Impala. However, Sentry has a highly modular and extensible mechanism, and it can be extended to other Hadoop-based applications. The authorization core layer of Sentry is mainly divided into two parts, the binding layer (Hive bindings and Impala bindings) and the core authorization provider (Policy engine and Policy abstractions). The combination layer provides a pluggable interface to realize the dialogue with the protocol engine. Policy engine works with bingdings to evaluate and verify access requests and, if access is allowed, access the underlying data through Policy abstractions.
At present, a file-based provider has been implemented and the specific protocol file format can be understood. Protocol files can be stored in the local file system or HDFS for replication and auditing.
How to use Sentry in Hive
CDH 4.4 and above Impala 1.1 and above can use Sentry
Note: if both Hive and Impala exist in the cluster environment, when Sentry takes effect, you must ensure that both Hive and Impala are in effect.
Configuring Sentry in Hive ensures the following conditions:
Hive warehouse path (/ user/hive/warehouse or the path of the configured hive.metastore.warehouse.dir) users and user groups must be Hive
The warehouse permission owner must satisfy the
770 on the directory itself (for example, / user/hive/warehouse)
770 on all subdirectories (for example, / user/hive/warehouse/mysubdir)
All files and directories should be owned by hive:hive
For example
$sudo-u hdfs hdfs dfs-chmod-R 770 / user/hive/warehouse$ sudo-u hdfs hdfs dfs-chown-R hive:hive / user/hive/warehouse
Sentry uses Policy file to define control over Hive access and creates Policy file sentry-provider.ini as a HDFS file.
It is important to note that the file user and user group must have a hive permission of 640.
The default path is / user/hive/sentry
Policy file example:
Global policy file:
[groups] admin_group = admin_roledep1_admin = uri_ roel [admin_role = server=server1uri_role = hdfs:///ha-nn-uri/ data [hdfs://ha-nn-uri/user/hive/sentry/db1.ini] db1 = hdfs://ha-nn-uri/user/hive/sentry/db1.ini
Per db policy file: (at hdfs://ha-nn-uri/user/hive/sentry/db1.ini):
[groups] dep1_admin = db1_admin_roledep1_analyst = db1_read_ roel [db1_admin_role = server=server1- > db=db1db1_read_role = server=server1- > db=db1- > table=*- > action=select
Groups options match users and roles
Roles options match roles and permissions
Databases is optional and provides a match between the database and per-database policy file files.
At this point, the study on "how to use Hadoop Sentry" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 245
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.