hive增加普通用戶,只賦予select權(quán)限,無create,drop等權(quán)限
網(wǎng)站設(shè)計制作、網(wǎng)站設(shè)計介紹好的網(wǎng)站是理念、設(shè)計和技術(shù)的結(jié)合。創(chuàng)新互聯(lián)公司擁有的網(wǎng)站設(shè)計理念、多方位的設(shè)計風(fēng)格、經(jīng)驗豐富的設(shè)計團隊。提供PC端+手機端網(wǎng)站建設(shè),用營銷思維進行網(wǎng)站設(shè)計、采用先進技術(shù)開源代碼、注重用戶體驗與SEO基礎(chǔ),將技術(shù)與創(chuàng)意整合到網(wǎng)站之中,以契合客戶的方式做到創(chuàng)意性的視覺化效果。
剛接到客戶的要求,提出增加4個普通hive用戶,具有select權(quán)限,不具有createdatabase/table,dropdatabase/table的權(quán)限,只保留amos用戶具有select,create,drop、revoke所有權(quán)限。
往上搜索了一大堆,最后解決辦法是:
1、首先amos用戶登錄hive,賦予自己對數(shù)據(jù)庫dmp所有權(quán)限
[amos@DMP-GATEWAY amos]$ cd /opt/amos/hive/bin/ [amos@DMP-GATEWAY bin]$ ./hive hive> grant all on database dmp to user amos;
2、linux添加普通用戶mcduser1
在centos6.7系統(tǒng)上增加mcduser1用戶:useradd mcduser1
3、修改hadoop上用戶的權(quán)限
hadoop fs -chmod -R 777 /user/hive/warehouse hadoop fs -chmod -R 777 /tmp
4、修改hive配置文件hive-site.xml,增加權(quán)限控制,然后重啟hive服務(wù):metastore,HiveServer2,hwi 。
<property> <name>hive.security.authorization.enabled</name> <value>true</value> <description>enableordisable the hive clientauthorization</description> </property> <property> <name>hive.security.authorization.createtable.owner.grants</name> <value>ALL</value> <description>theprivileges automatically granted to theownerwhenever a table gets created. Anexample like "select,drop"willgrant select and drop privilege to theowner of thetable</description> </property>
5、用超級用戶amos登錄hive,給普通用戶mcduser1賦予select權(quán)限
[amos@DMP-GATEWAY amos]$ cd /opt/amos/hive/bin/ [amos@DMP-GATEWAY bin]$ ./hive hive> grant select on database dmp to user mcduser1;
注意:如果權(quán)限賦于錯誤,可以用revoke刪除權(quán)限
hive> revoke select on database dmp from user amos;
6、測試發(fā)現(xiàn)mcduser1用戶使用select count(*)啟動的mapreduce,但是會自動失敗,最后看yarn日志錯誤是:
Diagnostics: Application application_1484125831039_0001 failed 3 times due to AM Containerfor appattempt_1484125831039_0001_000003 exited with exitCode: -1000 For more detailed output, check application trackingpage:http://DMP-DEV01:8088/cluster/app/application_1484125831039_0001Then,click on links to logs of each attempt. Diagnostics: Application application_1484125831039_0001 initialization failed(exitCode=255) with output: User mcduser1 not found Failing this attempt. Failing the application.
原來gatewany服務(wù)器上有mcduser1用戶,但是在nodemanager上面沒有該用戶,使用ansible在所有的node服務(wù)器上添加該用戶,注意,使用useradd-s /sbin/nologin mcduser1,不允許mcduser1在nodemanager上登錄。
[root@mcddmpfe01 ~]# ansible amosDnNodes -m shell -a'useradd -s /sbin/nologin mcduser1' /opt/amos/python2.7/lib/python2.7/site-packages/pycrypto-2.6.1-py2.7-linux-x86_64.egg/Crypto/Util/number.py:57:PowmInsecureWarning: Not using mpz_powm_sec. You should rebuild us ing libgmp >= 5 to avoid timing attack vulnerability. mcddmpnode05 | SUCCESS | rc=0 >> mcddmpnode01 | SUCCESS | rc=0 >> mcddmpnode03 | SUCCESS | rc=0 >> mcddmpnode02 | SUCCESS | rc=0 >> mcddmpnode04 | SUCCESS | rc=0 >> mcddmpnode07 | SUCCESS | rc=0 >> mcddmpnode06 | SUCCESS | rc=0 >> mcddmpnode08 | SUCCESS | rc=0 >>
測試通過,普通用戶可以在hive上通過select count(*) from table啟動mapreduce程序。
hive> select count(*) from store_master; Query ID = hiveuser1_20170112122713_fea2188b-7e19-4a9a-896d-ec472c60d0ca Total jobs = 1 Launching Job 1 out of 1 Number of reduce tasks determined at compile time: 1 In order to change the average load for a reducer (in bytes): sethive.exec.reducers.bytes.per.reducer=<number> In order to limit the maximum number of reducers: sethive.exec.reducers.max=<number> In order to set a constant number of reducers: setmapreduce.job.reduces=<number> Starting Job = job_1484051373423_1338, Tracking URL =http://mcddmpfe02:8088/proxy/application_1484051373423_1338/ Kill Command = /opt/amos/hadoop/bin/hadoop job -killjob_1484051373423_1338 Hadoop job information for Stage-1: number of mappers: 1; number of reducers: 1 2017-01-12 12:27:36,289 Stage-1 map = 0%, reduce = 0% 2017-01-12 12:27:48,349 Stage-1 map = 100%, reduce = 0%, Cumulative CPU4.01 sec 2017-01-12 12:27:59,130 Stage-1 map = 100%, reduce = 100%, Cumulative CPU7.86 sec MapReduce Total cumulative CPU time: 7 seconds 860 msec Ended Job = job_1484051373423_1338 MapReduce Jobs Launched: Stage-Stage-1: Map: 1 Reduce: 1 Cumulative CPU: 7.86 sec HDFS Read: 0 HDFS Write: 0 SUCCESS Total MapReduce CPU Time Spent: 7 seconds 860 msec OK 2302 Time taken: 47.764 seconds, Fetched: 1 row(s) hive> create database test; Authorization failed:No privilege 'Create' found for outputs { }. Use SHOWGRANT to get more details.
8、至于用戶的Hive操作日志,目前記錄在用戶目錄的.hivehistory文件下即/home/$user/.hivehistory。
例如:mcduser1用戶在hive命令行的操作日志記錄在:/home/hiveuser1/.hivehistoy
9、現(xiàn)在發(fā)現(xiàn)一個問題,就是普通用戶可以添加權(quán)限,這個問題還沒有找到合適的解決辦法,可能需要開發(fā)寫一段hook程序了。
當(dāng)前題目:hive增加普通用戶,只賦予select權(quán)限,無create,drop等權(quán)限
文章出自:http://jinyejixie.com/article38/gpeepp.html
成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供建站公司、靜態(tài)網(wǎng)站、移動網(wǎng)站建設(shè)、網(wǎng)站改版、定制開發(fā)、網(wǎng)站內(nèi)鏈
聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請盡快告知,我們將會在第一時間刪除。文章觀點不代表本網(wǎng)站立場,如需處理請聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時需注明來源: 創(chuàng)新互聯(lián)