【總結】ApacheSentry服務簡介
Sentry是一個RPC服務,將認證元數據信息存儲在關系型數據庫,并提供RPC接口檢索和操作權限。利用Kerveros支持安全訪問。Sentry Service通過后臺數據庫存儲提供認證元數據信息,不處理真實的權限驗證,當Hive,Impala等服務的配置使用Sentry權限的時候,Hive,Impala只作為Sentry的client。
我們提供的服務有:成都網站設計、網站建設、微信公眾號開發、網站優化、網站認證、徐匯ssl等。為成百上千家企事業單位解決了網站和推廣的問題。提供周到的售前咨詢和貼心的售后服務,是有科學管理、有技術的徐匯網站制作公司
最早的Sentry是使用policy file配置權限,逐漸版本升級過程中,目前采用關系型數據庫存儲權限角色等。使用新的Sentry服務相比于舊的policy file能夠更容易處理用戶權限,新的Sentry服務提供了更傳統的 GRANT/REVOKE語句修改權限。
早版本Sentry中的策略文件policy file:
[groups] manager = customers_insert_role, customers_select_role analyst = customers_select_role [roles] customers_insert_role = server=server1->db=customers->table=*->action=insert customers_select_role = server=server1->db=customers->table=*->action=select
Sentry歷史版本功能:
Sentry with policy files is added in CDH 5.1.0.
Sentry with config support is added in CDH 5.5.0.
Sentry with database-backed Sentry service is added with CDH 5.8.0.
Sentry中基礎名詞:
1.object Sentry認證規則所保護的一個對象,包括 server, database, table, URI, collection, and config
2.role 訪問給定object的規則集合
3.privilege 包括insert select update等
4.user 來自于能夠訪問Sentry服務的一個認證系統用戶,user可以是Kerberos的principal, LDAP的userid,或其他認證系統的標識
5.group 組,一個或者多個用戶的集合,Sentry中將role分配給group,一個組就相應擔當某個角色
6.A configured group provider determines a user’s affiliation with a group. The current release supports HDFS-backed groups and locally configured groups.
| Privilege | Object |
| INSERT | DB, TABLE |
| SELECT | SERVER, DB, TABLE, COLUMN |
| UPDATE | COLLECTION, CONFIG |
| QUERY | COLLECTION, CONFIG |
| ALL | SERVER, TABLE, DB, URI, COLLECTION, CONFIG |
Sentry權限模型:
Sentry使用基于角色權限模型,有如下特征
1、允許所有用戶執行show functions,show locks等
2、允許用戶看到那些有權限的tables,databases,collections,configs等
3、HiveQL執行例如LOAD,IMPORT等操作,需要用戶有相應URI的權限
4、賦予一個URI某個權限,其子目錄也遞歸賦予這個權限,所以只需將權限grant給一個父目錄
5、CDH 5.5引入Column級別的訪問控制,之前版本的如果要控制到列級別訪問,使用View,創建一個只包含有訪問權限Column的View
Tips
Hive中使用Sentry的時候,必須使用Beeline方式執行查詢,Hive Cli方式不支持Sentry
Hive On Sentry中Object層級結構關系
權限能夠賦予層級中的不同的object,一個權限如果賦予層級中一個object,則這個object子層級中的object繼承這個權限。
比如賦予DATABASE的SELECT權限給用戶A,則用戶A擁有DATABASE下所有Object的SELECT權限
權限類型和Object的對應關系
| Privilege | Object |
| INSERT | DB, TABLE |
| SELECT | DB, TABLE, VIEW, COLUMN |
| ALL | SERVER, TABLE, DB, URI |
權限層級
| Base Object | Granular privileges on object | Container object that contains the base object | Privileges on container object that implies privileges on the base object |
| DATABASE | ALL | SERVER | ALL |
| TABLE | INSERT | DATABASE | ALL |
| TABLE | SELECT | DATABASE | ALL |
| COLUMN | SELECT | DATABASE | ALL |
| VIEW | SELECT | DATABASE | ALL |
Hive&Impala操作權限表
| Operation | Scope | Privileges Required | URI |
| CREATE DATABASE | SERVER | ALL | |
| DROP DATABASE | DATABASE | ALL | |
| CREATE TABLE | DATABASE | ALL | |
| DROP TABLE | TABLE | ALL | |
| CREATE VIEW-This operation is allowed if you have column-level SELECTaccess to the columns being used. | DATABASE; SELECT on TABLE; | ALL | |
| ALTER VIEW-This operation is allowed if you have column-level SELECTaccess to the columns being used. | VIEW/TABLE | ALL | |
| DROP VIEW | VIEW/TABLE | ALL | |
| ALTER TABLE .. ADD COLUMNS | TABLE | ALL | |
| ALTER TABLE .. REPLACE COLUMNS | TABLE | ALL | |
| ALTER TABLE .. CHANGE column | TABLE | ALL | |
| ALTER TABLE .. RENAME | TABLE | ALL | |
| ALTER TABLE .. SET TBLPROPERTIES | TABLE | ALL | |
| ALTER TABLE .. SET FILEFORMAT | TABLE | ALL | |
| ALTER TABLE .. SET LOCATION | TABLE | ALL | URI |
| ALTER TABLE .. ADD PARTITION | TABLE | ALL | |
| ALTER TABLE .. ADD PARTITION location | TABLE | ALL | URI |
| ALTER TABLE .. DROP PARTITION | TABLE | ALL | |
| ALTER TABLE .. PARTITION SET FILEFORMAT | TABLE | ALL | |
| SHOW CREATE TABLE | TABLE | SELECT/INSERT | |
| SHOW PARTITIONS | TABLE | SELECT/INSERT | |
| SHOW TABLES-Output includes all the tables for which the user has table-level privileges and all the tables for which the user has some column-level privileges. | TABLE | SELECT/INSERT | |
| SHOW GRANT ROLE-Output includes an additional field for any column-level privileges. | TABLE | SELECT/INSERT | |
| DESCRIBE TABLE-Output shows all columns if the user has table level-privileges or SELECT privilege on at least one table column | TABLE | SELECT/INSERT | |
| LOAD DATA | TABLE | INSERT | URI |
| SELECT-You can grant the SELECT privilege on a view to give users access to specific columns of a table they do not otherwise have access to. -See Column-level Authorization for details on allowed column-level operations. | VIEW/TABLE; COLUMN | SELECT | |
| INSERT OVERWRITE TABLE | TABLE | INSERT | |
| CREATE TABLE .. AS SELECT-This operation is allowed if you have column-level SELECTaccess to the columns being used. | DATABASE; SELECT on TABLE | ALL | |
| USE <dbName> | Any | ||
| CREATE FUNCTION | SERVER | ALL | |
| ALTER TABLE .. SET SERDEPROPERTIES | TABLE | ALL | |
| ALTER TABLE .. PARTITION SET SERDEPROPERTIES | TABLE | ALL | |
| Hive-Only Operations | |||
| INSERT OVERWRITE DIRECTORY | TABLE | INSERT | URI |
| Analyze TABLE | TABLE | SELECT + INSERT | |
| IMPORT TABLE | DATABASE | ALL | URI |
| EXPORT TABLE | TABLE | SELECT | URI |
| ALTER TABLE TOUCH | TABLE | ALL | |
| ALTER TABLE TOUCH PARTITION | TABLE | ALL | |
| ALTER TABLE .. CLUSTERED BY SORTED BY | TABLE | ALL | |
| ALTER TABLE .. ENABLE/DISABLE | TABLE | ALL | |
| ALTER TABLE .. PARTITION ENABLE/DISABLE | TABLE | ALL | |
| ALTER TABLE .. PARTITION.. RENAME TO PARTITION | TABLE | ALL | |
| MSCK REPAIR TABLE | TABLE | ALL | |
| ALTER DATABASE | DATABASE | ALL | |
| DESCRIBE DATABASE | DATABASE | SELECT/INSERT | |
| SHOW COLUMNS-Output for this operation filters columns to which the user does not have explicit SELECT access | TABLE | SELECT/INSERT | |
| CREATE INDEX | TABLE | ALL | |
| DROP INDEX | TABLE | ALL | |
| SHOW INDEXES | TABLE | SELECT/INSERT | |
| GRANT PRIVILEGE | Allowed only for Sentry admin users | ||
| REVOKE PRIVILEGE | Allowed only for Sentry admin users | ||
| SHOW GRANT | Allowed only for Sentry admin users | ||
| SHOW TBLPROPERTIES | TABLE | SELECT/INSERT | |
| DESCRIBE TABLE .. PARTITION | TABLE | SELECT/INSERT | |
| ADD JAR | Not Allowed | ||
| ADD FILE | Not Allowed | ||
| DFS | Not Allowed | ||
| Impala-Only Operations | |||
| EXPLAIN | TABLE; COLUMN | SELECT | |
| INVALIDATE METADATA | SERVER | ALL | |
| INVALIDATE METADATA <table name> | TABLE | SELECT/INSERT | |
| REFRESH <table name> or REFRESH <table name> PARTITION (<partition_spec>) | TABLE | SELECT/INSERT | |
| DROP FUNCTION | SERVER | ALL | |
| COMPUTE STATS | TABLE | ALL | |
通過HUE管理Sentry:http://10120275.blog.51cto.com/10110275/1956777
當前文章:【總結】ApacheSentry服務簡介
分享網址:http://m.newbst.com/article16/gscpdg.html
成都網站建設公司_創新互聯,為您提供定制開發、軟件開發、自適應網站、小程序開發、品牌網站設計、網站內鏈
聲明:本網站發布的內容(圖片、視頻和文字)以用戶投稿、用戶轉載內容為主,如果涉及侵權請盡快告知,我們將會在第一時間刪除。文章觀點不代表本網站立場,如需處理請聯系客服。電話:028-86922220;郵箱:631063699@qq.com。內容未經允許不得轉載,或轉載時需注明來源: 創新互聯
- 網站制作中動態與靜態有什么區別 2017-06-08
- 為什么SEO要用靜態網站? 2015-05-12
- 創新互聯網站靜態生成技術讓網站真正靜下來 2016-10-31
- 成都網站建設公司告訴你什么叫靜態網頁 2015-02-21
- 動態頁面生成靜態HTML頁面的問題 2017-02-28
- 成都SEO優化:動態URL和靜態URL那種更利于網站優 2016-11-14
- 談談網站建設靜態網站與動態網站的區別 2020-07-18
- 偽靜態網頁的缺點 2016-10-02
- 什么是靜態網頁,靜態與動態的區別 2016-10-02
- 需要做網站的老鐵們,面對靜態網站和動態網站我們該如何選擇? 2022-04-16
- 偽靜態、動態、靜態網頁分別對SEO有什么影響? 2015-06-15
- 為什么網站偽靜態有利于優化? 2013-07-29