Apache Ranger 2.4.0 集成Hive 3.x(Kerbos)

一、解压tar包

tar zxvf ranger-2.4.0-hive-plugin.tar.gz

二、修改install.propertis

POLICY_MGR_URL=http://localhost:6080

REPOSITORY_NAME=hive_repo

COMPONENT_INSTALL_DIR_NAME=/BigData/run/hive

CUSTOM_USER=hadoop

三、进行enable

[root@tv3-hadoop-01 ranger-2.4.0-hive-plugin]# ./enable-hive-plugin.sh

看到下面的内容后，已经初始化完毕，需要重启meta和hive服务

Ranger Plugin for hive has been enabled. Please restart hive to ensure that changes are effective.

nohup hive --service metastore &

nohup hive --service hiveserver2 &

四、验证服务状态

服务正常，但是权限已经受到管控，需要进行授权

[hadoop@tv3-hadoop-01 ~]$ beeline
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/home/hadoop/gf13871/apache-hive-3_1_3/lib/log4j-slf4j-impl-2.17.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/BigData/install/hadoop-3.3.1/share/hadoop/common/lib/slf4j-log4j12-1.7.30.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Beeline version 3.1.3 by Apache Hive
beeline> !connect jdbc:hive2://tv3-hadoop-01:10000/default;principal=hadoop/tv3-hadoop-01@AB.ELONG.COM
Connecting to jdbc:hive2://tv3-hadoop-01:10000/default;principal=hadoop/tv3-hadoop-01@AB.ELONG.COM
Connected to: Apache Hive (version 3.1.3)
Driver: Hive JDBC (version 3.1.3)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://tv3-hadoop-01:10000/default> show tables;
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [hadoop] does not have [USE] privilege on [default] (state=42000,code=40000)
0: jdbc:hive2://tv3-hadoop-01:10000/default> 

五、Ranger 授权

六、相关报错

6.1 测试连接时出现下面报错(待解决）

org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [show databases like "*"]..
Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [rangerlookup] does not have [USE] privilege on [Unknown resource!!].
Permission denied: user [rangerlookup] does not have [USE] privilege on [Unknown resource!!].