Shulou(Shulou.com)06/03 Report--

Sentry is a RPC service that stores authentication metadata information in a relational database and provides RPC interface retrieval and operation permissions. Support secure access with Kerveros. Sentry Service provides authentication metadata information through backend database storage, and does not deal with real permission verification. When Hive,Impala and other services are configured to use Sentry permissions, Hive,Impala is only used as the client of Sentry.

The earliest Sentry is to use policy file to configure permissions, and in the process of gradual version upgrade, relational database is currently used to store permission roles. Using the new Sentry service can deal with user rights more easily than the old policy file, and the new Sentry service provides more traditional permission to modify GRANT/REVOKE statements.

The policy file policy file in the previous version of Sentry:

[groups] manager = customers_insert_role, customers_select_roleanalyst = customers_select_role [roles] customers_insert_role = server=server1- > db=customers- > table=*- > action=insert customers_select_role = server=server1- > db=customers- > table=*- > action=select

Sentry Historical version features:

Sentry with policy files is added in CDH 5.1.0.

Sentry with config support is added in CDH 5.5.0.

Sentry with database-backed Sentry service is added with CDH 5.8.0.

Basic nouns in Sentry:

An object protected by 1.object Sentry authentication rules, including server, database, table, URI, collection, and config

2.role accesses a set of rules for a given object

3.privilege includes insert select update, etc.

4.user comes from an authenticated system user who can access Sentry services. User can be the principal of Kerberos, the userid of LDAP, or the identity of other authentication systems.

5.group group, a collection of one or more users. Role is assigned to group in Sentry, and a group acts as a role accordingly.

6.A configured group provider determines a user's affiliation with a group. The current release supports HDFS-backed groups and locally configured groups.

PrivilegeObjectINSERTDB, TABLESELECTSERVER, DB, TABLE, COLUMNUPDATECOLLECTION, CONFIGQUERYCOLLECTION, CONFIGALLSERVER, TABLE, DB, URI, COLLECTION, CONFIG

Sentry permission model:

Sentry uses a role-based permission model with the following characteristics

1. Allow all users to execute show functions,show locks, etc.

2. Allow users to see those tables,databases,collections,configs with permission, etc.

3. HiveQL performs operations such as LOAD,IMPORT, which requires the user to have the permission of the corresponding URI.

4. Give a URI a permission, and its subdirectories also recursively assign this permission, so you only need to give the permission grant to a parent directory

5. CDH 5.5 introduces Column-level access control. In the previous version, if you want to control access to the column level, use View to create a View that contains only Column access rights.

Tips

When Sentry is used in Hive, the query must be executed in Beeline mode. Sentry is not supported in Hive Cli mode.

Hierarchical structure relationship of Object in Hive On Sentry

Permissions can be granted to different object in the hierarchy, and if a permission is given to an object in the hierarchy, the object in the object sub-level inherits that permission.

For example, if user An is given the SELECT permission of DATABASE, then user A has the SELECT permission of all Object under DATABASE.

The corresponding relationship between permission type and Object

PrivilegeObjectINSERTDB, TABLESELECTDB, TABLE, VIEW, COLUMNALLSERVER, TABLE, DB, URI

Permission level

Base ObjectGranular privileges on objectContainer object that contains the base objectPrivileges on container object that implies privileges on the base objectDATABASEALLSERVERALLTABLEINSERTDATABASEALLTABLESELECTDATABASEALLCOLUMNSELECTDATABASEALLVIEWSELECTDATABASEALL

Hive&Impala operation permission table

OperationScopePrivileges RequiredURICREATE DATABASESERVERALL

DROP DATABASEDATABASEALL

CREATE TABLEDATABASEALL

DROP TABLETABLEALL

CREATE VIEW-This operation is allowed if you have column-level SELECTaccess to the columns being used.DATABASE; SELECT on TABLE;ALL

ALTER VIEW-This operation is allowed if you have column-level SELECTaccess to the columns being used.VIEW/TABLEALL

DROP VIEWVIEW/TABLEALL

ALTER TABLE.. ADD COLUMNSTABLEALL

ALTER TABLE.. REPLACE COLUMNSTABLEALL

ALTER TABLE.. CHANGE columnTABLEALL

ALTER TABLE.. RENAMETABLEALL

ALTER TABLE.. SET TBLPROPERTIESTABLEALL

ALTER TABLE.. SET FILEFORMATTABLEALL

ALTER TABLE.. SET LOCATIONTABLEALLURIALTER TABLE.. ADD PARTITIONTABLEALL

ALTER TABLE.. ADD PARTITION locationTABLEALLURIALTER TABLE.. DROP PARTITIONTABLEALL

ALTER TABLE.. PARTITION SET FILEFORMATTABLEALL

SHOW CREATE TABLETABLESELECT/INSERT

SHOW PARTITIONSTABLESELECT/INSERT

SHOW TABLES-Output includes all the tables for which the user has table-level privileges and all the tables for which the user has some column-level privileges.TABLESELECT/INSERT

SHOW GRANT ROLE-Output includes an additional field for any column-level privileges.TABLESELECT/INSERT

DESCRIBE TABLE-Output shows all columns if the user has table level-privileges or SELECT privilege on at least one table columnTABLESELECT/INSERT

LOAD DATATABLEINSERTURISELECT-You can grant the SELECT privilege on a view to give users access to specific columns of a table they do not otherwise have access to.

-See Column-level Authorization for details on allowed column-level operations.VIEW/TABLE; COLUMNSELECT

INSERT OVERWRITE TABLETABLEINSERT

CREATE TABLE.. AS SELECT-This operation is allowed if you have column-level SELECTaccess to the columns being used.DATABASE; SELECT on TABLEALL

USE Any

CREATE FUNCTIONSERVERALL

ALTER TABLE.. SET SERDEPROPERTIESTABLEALL

ALTER TABLE.. PARTITION SET SERDEPROPERTIESTABLEALL

Hive-Only OperationsINSERT OVERWRITE DIRECTORYTABLEINSERTURIAnalyze TABLETABLESELECT + INSERT

IMPORT TABLEDATABASEALLURIEXPORT TABLETABLESELECTURIALTER TABLE TOUCHTABLEALL

ALTER TABLE TOUCH PARTITIONTABLEALL

ALTER TABLE.. CLUSTERED BY SORTED BYTABLEALL

ALTER TABLE.. ENABLE/DISABLETABLEALL

ALTER TABLE.. PARTITION ENABLE/DISABLETABLEALL

ALTER TABLE.. PARTITION.. RENAME TO PARTITIONTABLEALL

MSCK REPAIR TABLETABLEALL

ALTER DATABASEDATABASEALL

DESCRIBE DATABASEDATABASESELECT/INSERT

SHOW COLUMNS-Output for this operation filters columns to which the user does not have explicit SELECT accessTABLESELECT/INSERT

CREATE INDEXTABLEALL

DROP INDEXTABLEALL

SHOW INDEXESTABLESELECT/INSERT

GRANT PRIVILEGEAllowed only for Sentry admin users

REVOKE PRIVILEGEAllowed only for Sentry admin users

SHOW GRANTAllowed only for Sentry admin users

SHOW TBLPROPERTIESTABLESELECT/INSERT

DESCRIBE TABLE.. PARTITIONTABLESELECT/INSERT

ADD JARNot Allowed

ADD FILENot Allowed

DFSNot Allowed

Impala-Only OperationsEXPLAINTABLE; COLUMNSELECT

INVALIDATE METADATASERVERALL

INVALIDATE METADATA TABLESELECT/INSERT

REFRESH or REFRESH PARTITION () TABLESELECT/INSERT

DROP FUNCTIONSERVERALL

COMPUTE STATSTABLEALL

Manage Sentry: http://10120275.blog.51cto.com/10110275/1956777 through HUE

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.