Hive中没有超级管理员,任何用户都可以进行Grant/Revoke操作
开发实现自己的权限控制类,确保某个用户为超级用户
比如任何用户都可以grant 权限给别的用户。
grant select on table test2 to user hadoop;
如何开发一个超级管理员:
创建一个项目,导入mavan jar包,然后开始编写hook类
java
import com.google.common.base.Joiner;
import org.apache.hadoop.hive.ql.parse.*;
import org.apache.hadoop.hive.ql.session.SessionState;
public class HiveAdmin extends AbstractSemanticAnalyzerHook {
private static String[] admins = {"hadoop"};
@Override
public ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context, ASTNode ast) throws SemanticException {
switch (ast.getToken().getType()) {
case HiveParser
.TOK_CREATEDATABASE:
case HiveParser.TOK_DROPDATABASE:
case HiveParser.TOK_CREATEROLE:
case HiveParser.TOK_DROPROLE:
case HiveParser.TOK_GRANT:
case HiveParser.TOK_REVOKE:
case HiveParser.TOK_GRANT_ROLE:
case HiveParser.TOK_REVOKE_ROLE:
case HiveParser.TOK_CREATETABLE:
String userName = null;
if (SessionState.get() != null && SessionState.get().getAuthenticator().getUserName() != null) {
userName = SessionState.get().getAuthenticator().getUserName();
}
boolean isAdmin = false;
for (String admin : admins) {
if (admin.equalsIgnoreCase(userName)) {
isAdmin = true;
break;
}
}
if (!isAdmin) {
throw new SemanticException(userName + "is not Admin, except " + Joiner.on(",").join(admins));
}
break;
default:
break;
}
return ast;
}
}接着,将其打包,放入hive 的lib 文件夹下。
chown hadoop. /soft/home/apache-hive-2.3.6-bin/lib/udf-test-1.0-SNAPSHOT.jar
修改,hive-site.xml,将编写好的类路径配置到xml中,并且指定超级用户为hadoop
XML
<property>
<name>hive.users.in.admin.role</name>
<value>hadoop</value>
</property>
<property>
<name>hive.metastore.execute.setugi</name>
<value>false</value>
</property>
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
<description>开启权限 enable or disable thehive client authorization</description>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
<description>表的创建者对表拥有所有权限the privileges automaticallygranted t
o the owner whenever a table gets created. An example like"select,drop" will
grant select and drop privilege to the owner ofthe table</description>
</property>
<property>
<name>hive.security.authorization.task.factory</name>
<value>org.apache.hadoop.hive.gl.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
<description>进行权限控制的配置。</description>
</property>
<property>
<name>hive.semantic.analyzer.hook</name>
<value>com.bigdata.hive.security.HiveAdmin</value>
<description>使用钩子程序,识别超级管理员,进行授权控制。</description>
<property>重启metastore,然后重新尝试,看普通用户是否可以创建一个表。
测试发现,hadoop用户可以进行授权操作
但是hive用户无法进行授权操作:
