背景：1、Apache Sentry是Cloudera公司发布的一个Hadoop开源组件，它提供了细粒度级、基于角色的授权以及多租户的管理模式，2、Sentry当前可以和Hive/Hcatalog、Apache Solr 和Cloudera Impala集成， 为这些组件提供权限管理服务。 3、基于角色的管理（role-based acess control）通过创建角色，将每个组件的权限授予给此角色，然后在用户(组)中添加此角色，用户便具备此角色访问组件的权限，4、使用sentry对hive进行权限管理时，这里的组件可以是整个server，也可以是单个db,或者单张table.

测试如下：1.1 查看全部数据库beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "show databases;"

我尝试的先创建一个库 报错如下：[hadoop@uhadoop-4wvgxxla-master2 ~]$ beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "create database test;"Transaction isolation: TRANSACTION_REPEATABLE_READError: Error while compiling statement: FAILED: SemanticException No valid privilegesUser hive does not have privileges for CREATEDATABASE 用户配置单元没有CREATEDATABASE的特权 The required privileges: Server=uhadoop-4wvgxxla-master1->action=create->grantOption=false; (state=42000,code=40000)Closing: 0: jdbc:hive2://uhadoop-4wvgxxla-master2:10000

1.2 查看全部角色beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "show roles;"Transaction isolation: TRANSACTION_REPEATABLE_READ+-------+| role |+-------++-------+No rows selected (1.151 seconds)Beeline version 2.3.3 by Apache HiveClosing: 0: jdbc:hive2://uhadoop-4wvgxxla-master2:10000// 用户角色为空

1.3 查看当前角色beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "show current roles;"Driver: Hive JDBC (version 2.3.3)Transaction isolation: TRANSACTION_REPEATABLE_READ+-------+| role |+-------++-------+No rows selected (0.446 seconds)Beeline version 2.3.3 by Apache HiveClosing: 0: jdbc:hive2://uhadoop-4wvgxxla-master2:10000// 显示当前没有任何的角色

1.4 查看当前用户beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "select current_user();"Driver: Hive JDBC (version 2.3.3)Transaction isolation: TRANSACTION_REPEATABLE_READ+-------+| _c0 |+-------+| hive |+-------+1 row selected (1.124 seconds)Beeline version 2.3.3 by Apache HiveClosing: 0: jdbc:hive2://uhadoop-4wvgxxla-master2:10000

// 当前操作hiveserver2的用户是hive

2.2 为admin角色授予全部server权限beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive // 进入到hiveserver2的内部之后执行如下：0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> grant all on server uhadoop-4wvgxxla-master1 to role admin;No rows affected (0.491 seconds)

2.3 为hive用户赋予admin角色//经过这一步，hive用户已经可以作为管理员用户执行全部数据和权限操作。beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "GRANT ROLE admin TO GROUP hive;"

create table student(Sno char(9) COMMENT '用户ID',Sname char(20) ,Ssex char(2),Sage int,Sdept char(20));

insert into student values(200215121,'李勇','男',20,'CS');

没有出现中文乱码的问题，请测验证方式需要：show create table xxx;desc xxx;desc formatted xxx;查看3种方式是不是都没有中文乱码的问题

// 创建测试表，并插入数据

beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "create table db1.t1(id string);"

beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "insert into db1.t1 values ('t1_001'),('t1_002');"

beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "create table db2.t2(id string);"

beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "insert into db2.t2 values ('t2_001'),('t2_002');"

0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> use db1;No rows affected (0.173 seconds)0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show tables;+-----------+| tab_name |+-----------+| t1 |+-----------+1 row selected (0.208 seconds)0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> select * from t1;+---------+| t1.id |+---------+| t1_001 || t1_002 |+---------+2 rows selected (0.294 seconds)

0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> select * from db2.t2;+---------+| t2.id |+---------+| t2_001 || t2_002 |+---------+2 rows selected (0.304 seconds)

3.2 master1,master2节点上创建linux测试用户user1, user2useradd -M -s /sbin/nologin user1

useradd -M -s /sbin/nologin user2

cat /etc/passwd user1:x:1004:1005::/home/user1:/sbin/nologinuser2:x:1005:1006::/home/user2:/sbin/nologin

3.3 hive中创建两个角色，分别授予不同的角色权限//创建角色role1, 授予其对db1的管理权限beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "CREATE ROLE role1;"beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "grant all on database db1 to role role1 with grant option;"

//创建角色role2, 授予其对db2的管理权限beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "CREATE ROLE role2;"beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "grant all on database db2 to role role2 with grant option;"

// show grant role role1; (查看role1角色的权限列表)// show grant role role2; (查看role2角色的权限列表)

0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show grant role role1;+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+| db1 | | | | role1 | ROLE | | true | 1583739035000 | -- |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+1 row selected (0.215 seconds)0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show grant role role2;+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+| db2 | | | | role2 | ROLE | | true | 1583739057000 | -- |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+1 row selected (0.119 seconds)0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show grant role admin;+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+| | | | | admin | ROLE | | false | 1583737318000 | -- |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+1 row selected (0.131 seconds)

3.4 管理员用户登陆hive,为两个用户赋予不同的角色beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "GRANT ROLE role1 TO GROUP user1;"

beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n hive -e "GRANT ROLE role2 TO GROUP user2;"

// show role grant group user1 (查看user1的角色列表)// show role grant group user2（查看user2的角色列表）0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show role grant group user1;+--------+---------------+-------------+----------+| role | grant_option | grant_time | grantor |+--------+---------------+-------------+----------+| role1 | false | 0 | -- |+--------+---------------+-------------+----------+1 row selected (0.144 seconds)0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show role grant group user2;+--------+---------------+-------------+----------+| role | grant_option | grant_time | grantor |+--------+---------------+-------------+----------+| role2 | false | 0 | -- |+--------+---------------+-------------+----------+1 row selected (0.125 seconds)

4 使用user1, user2用户登陆，验证权限隔离//user1登陆，只能看到db1数据库beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user1 -e "show databases;"

// user2用户登陆，只能看到db2数据库beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user2 -e "show databases;"

// 删除角色drop role role2;

角色权限撤销// 先查看角色当前授权信息show grant role role1;

// 将db1的操作权限从role1撤销revoke all on database db1 from role role1;

授权语句说明：角色授权和撤销GRANT ROLE role_name [, role_name] TO GROUP [,GROUP ]REVOKE ROLE role_name [, role_name] FROM GROUP [,GROUP ]

权限的授予和撤销GRANT [, ] ON TO ROLE [,ROLE ]REVOKE [, ] ON FROM ROLE [,ROLE ]

查看角色/组权限SHOW ROLES;SHOW CURRENT ROLES;SHOW ROLE GRANT GROUP ;SHOW GRANT ROLE ;SHOW GRANT ROLE on OBJECT ;

查看所有的角色0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show roles;+--------+| role |+--------+| admin || role1 || role2 |+--------+3 rows selected (0.12 seconds)

#将某个数据库读权限授予给某个roleGRANT SELECT ON DATABASE db_name TO ROLE role_name;

#将test 表的 S1 列的读权限授权给role_name （TABLE也可以不写）GRANT SELECT(s1) ON TABLE test TO ROLE role_name;

#test表的select 权限给 role_name 角色 GRANT SELECT ON TABLE test TO ROLE role_name;

例子：目前有2个用户user1 // 有db1下t1 表的所有权限user2 // 有db2下t2 表的所有权限

目前有角色+--------+| role |+--------+| admin | //所有库的最高权限 all | role1 | // 只有db1库的所有权限| role2 | // 只有db2库下的所有权限+--------+

0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show databases;+------------------------+| database_name |+------------------------+| db1 | | db2 || default || temp | | test_hive_ucloud10086 |+------------------------+

[hadoop@uhadoop-4wvgxxla-master1 ~]$ beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user2 -e "select * from db2.t2;"Transaction isolation: TRANSACTION_REPEATABLE_READ+---------+| t2.id |+---------+| t2_001 || t2_002 |+---------+2 rows selected (0.631 seconds)Beeline version 2.3.3 by Apache Hive[hadoop@uhadoop-4wvgxxla-master1 ~]$ beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user2 -e "insert into db2.t2 values ('t2_003'),('t2_004');"Connected to: Apache Hive (version 2.3.3)Driver: Hive JDBC (version 2.3.3)Transaction isolation: TRANSACTION_REPEATABLE_READNo rows affected (25.708 seconds)

再查询一次，ok 插入成功Transaction isolation: TRANSACTION_REPEATABLE_READ+---------+| t2.id |+---------+| t2_001 || t2_002 || t2_003 || t2_004 |+---------+4 rows selected (0.605 seconds)Beeline version 2.3.3 by Apache HiveClosing: 0: jdbc:hive2://uhadoop-4wvgxxla-master2:10000

接下来，我有个需求，我想把temp下的student表给user2开放首先user2对于的role2角色要有temp库的select权限然后再把temp库下的student表的select权限给到role2 这个角色那么user2属于role2 角色下 自然就有了temp下的student表的select权限

GRANT SELECT ON TABLE temp.student TO ROLE role2;

0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> GRANT SELECT ON TABLE temp.student TO ROLE role2; No rows affected (0.145 seconds)0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show role grant group user2;+--------+---------------+-------------+----------+| role | grant_option | grant_time | grantor |+--------+---------------+-------------+----------+| role2 | false | 0 | -- |+--------+---------------+-------------+----------+1 row selected (0.129 seconds)0: jdbc:hive2://uhadoop-4wvgxxla-master2:1000> show grant role role2;+-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |+-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+| db2 | | | | role2 | ROLE | * | true | 1583739057000 | -- || temp | student | | | role2 | ROLE | SELECT | false | 1583740481000 | -- |+-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+2 rows selected (0.125 seconds)

验证如下：[hadoop@uhadoop-4wvgxxla-master1 ~]$ beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user2 -e "show databases;"Transaction isolation: TRANSACTION_REPEATABLE_READ+----------------+| database_name |+----------------+| db2 || default || temp |+----------------+3 rows selected (0.614 seconds)

[hadoop@uhadoop-4wvgxxla-master1 ~]$ beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user2 -e "use temp;show tables;"No rows affected (0.476 seconds)+-----------+| tab_name |+-----------+| student |+-----------+1 row selected (0.282 seconds)Beeline version 2.3.3 by Apache Hive[hadoop@uhadoop-4wvgxxla-master1 ~]$ beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user2 -e "select * from temp.student;"Transaction isolation: TRANSACTION_REPEATABLE_READ+--------------+-----------------------+---------------+---------------+-----------------------+| student.sno | student.sname | student.ssex | student.sage | student.sdept |+--------------+-----------------------+---------------+---------------+-----------------------+| 200215121 | 李勇 | 男 | 20 | CS |+--------------+-----------------------+---------------+---------------+-----------------------+1 row selected (0.667 seconds)Beeline version 2.3.3 by Apache Hive

[hadoop@uhadoop-4wvgxxla-master1 ~]$ beeline -u "jdbc:hive2://uhadoop-4wvgxxla-master2:10000" -n user2 -e "insert into temp.student values(100215122,'刘晨','女',19,'CS');"Transaction isolation: TRANSACTION_REPEATABLE_READError: Error while compiling statement: FAILED: SemanticException No valid privilegesUser user2 does not have privileges for QUERY // 用户user2没有QUERY的特权 The required privileges: Server=uhadoop-4wvgxxla-master1->Db=temp->Table=student->action=insert->grantOption=false; (state=42000,code=40000)Closing: 0: jdbc:hive2://uhadoop-4wvgxxla-master2:10000