【总结】ApacheSentry服务简介

    Sentry是一个RPC服务,将认证元数据信息存储在关系型数据库,并提供RPC接口检索和操作权限。利用Kerveros支持安全访问。Sentry Service通过后台数据库存储提供认证元数据信息,不处理真实的权限验证,当Hive,Impala等服务的配置使用Sentry权限的时候,Hive,Impala只作为Sentry的client。

我们提供的服务有:成都网站设计、网站建设、微信公众号开发、网站优化、网站认证、徐汇ssl等。为成百上千家企事业单位解决了网站和推广的问题。提供周到的售前咨询和贴心的售后服务,是有科学管理、有技术的徐汇网站制作公司

    最早的Sentry是使用policy file配置权限,逐渐版本升级过程中,目前采用关系型数据库存储权限角色等。使用新的Sentry服务相比于旧的policy file能够更容易处理用户权限,新的Sentry服务提供了更传统的 GRANT/REVOKE语句修改权限。

早版本Sentry中的策略文件policy file:

[groups] 
manager = customers_insert_role, 
customers_select_role
analyst = customers_select_role 
[roles] 
customers_insert_role = server=server1->db=customers->table=*->action=insert 
customers_select_role = server=server1->db=customers->table=*->action=select

Sentry历史版本功能:

  • Sentry with policy files is added in CDH 5.1.0.

  • Sentry with config support is added in CDH 5.5.0.

  • Sentry with database-backed Sentry service is added with CDH 5.8.0.


Sentry中基础名词:

1.object Sentry认证规则所保护的一个对象,包括 server, database, table, URI, collection, and config

2.role 访问给定object的规则集合

3.privilege 包括insert select update等

4.user 来自于能够访问Sentry服务的一个认证系统用户,user可以是Kerberos的principal, LDAP的userid,或其他认证系统的标识

5.group 组,一个或者多个用户的集合,Sentry中将role分配给group,一个组就相应担当某个角色

6.A configured group provider determines a user’s affiliation with a group. The current release supports HDFS-backed groups and locally configured groups.

PrivilegeObject
INSERTDB, TABLE
SELECTSERVER, DB, TABLE, COLUMN
UPDATECOLLECTION, CONFIG
QUERYCOLLECTION, CONFIG
ALLSERVER, TABLE, DB, URI, COLLECTION, CONFIG

Sentry权限模型:

Sentry使用基于角色权限模型,有如下特征

1、允许所有用户执行show functions,show locks等

2、允许用户看到那些有权限的tables,databases,collections,configs等

3、HiveQL执行例如LOAD,IMPORT等操作,需要用户有相应URI的权限

4、赋予一个URI某个权限,其子目录也递归赋予这个权限,所以只需将权限grant给一个父目录

5、CDH 5.5引入Column级别的访问控制,之前版本的如果要控制到列级别访问,使用View,创建一个只包含有访问权限Column的View

Tips

    Hive中使用Sentry的时候,必须使用Beeline方式执行查询,Hive Cli方式不支持Sentry


Hive On Sentry中Object层级结构关系

权限能够赋予层级中的不同的object,一个权限如果赋予层级中一个object,则这个object子层级中的object继承这个权限。

比如赋予DATABASE的SELECT权限给用户A,则用户A拥有DATABASE下所有Object的SELECT权限

【总结】Apache Sentry 服务简介

权限类型和Object的对应关系

PrivilegeObject
INSERTDB, TABLE
SELECTDB, TABLE, VIEW, COLUMN
ALLSERVER, TABLE, DB, URI

权限层级

Base ObjectGranular privileges on objectContainer object that contains the base objectPrivileges on container object that implies privileges on the base object
DATABASEALLSERVERALL
TABLEINSERTDATABASEALL
TABLESELECTDATABASEALL
COLUMNSELECTDATABASEALL
VIEWSELECTDATABASEALL

Hive&Impala操作权限表

OperationScopePrivileges RequiredURI
CREATE DATABASESERVERALL
DROP DATABASEDATABASEALL
CREATE TABLEDATABASEALL
DROP TABLETABLEALL
CREATE VIEW-This operation is allowed if you have column-level SELECTaccess to the columns being used.DATABASE; SELECT on TABLE;ALL
ALTER VIEW-This operation is allowed if you have column-level SELECTaccess to the columns being used.VIEW/TABLEALL
DROP VIEWVIEW/TABLEALL
ALTER TABLE .. ADD COLUMNSTABLEALL
ALTER TABLE .. REPLACE COLUMNSTABLEALL
ALTER TABLE .. CHANGE columnTABLEALL
ALTER TABLE .. RENAMETABLEALL
ALTER TABLE .. SET TBLPROPERTIESTABLEALL
ALTER TABLE .. SET FILEFORMATTABLEALL
ALTER TABLE .. SET LOCATIONTABLEALLURI
ALTER TABLE .. ADD PARTITIONTABLEALL
ALTER TABLE .. ADD PARTITION locationTABLEALLURI
ALTER TABLE .. DROP PARTITIONTABLEALL
ALTER TABLE .. PARTITION SET FILEFORMATTABLEALL
SHOW CREATE TABLETABLESELECT/INSERT
SHOW PARTITIONSTABLESELECT/INSERT
SHOW TABLES-Output includes all the tables for which the user has table-level privileges and all the tables for which the user has some column-level privileges.TABLESELECT/INSERT
SHOW GRANT ROLE-Output includes an additional field for any column-level privileges.TABLESELECT/INSERT
DESCRIBE TABLE-Output shows all columns if the user has table level-privileges or SELECT privilege on at least one table columnTABLESELECT/INSERT
LOAD DATATABLEINSERTURI
SELECT-You can grant the SELECT privilege on a view to give users access to specific columns of a table they do not otherwise have access to.
-See Column-level Authorization for details on allowed column-level operations.
VIEW/TABLE; COLUMNSELECT
INSERT OVERWRITE TABLETABLEINSERT
CREATE TABLE .. AS SELECT-This operation is allowed if you have column-level SELECTaccess to the columns being used.DATABASE; SELECT on TABLEALL
USE Any

CREATE FUNCTIONSERVERALL
ALTER TABLE .. SET SERDEPROPERTIESTABLEALL
ALTER TABLE .. PARTITION SET SERDEPROPERTIESTABLEALL
Hive-Only Operations
INSERT OVERWRITE DIRECTORYTABLEINSERTURI
Analyze TABLETABLESELECT + INSERT
IMPORT TABLEDATABASEALLURI
EXPORT TABLETABLESELECTURI
ALTER TABLE TOUCHTABLEALL
ALTER TABLE TOUCH PARTITIONTABLEALL
ALTER TABLE .. CLUSTERED BY SORTED BYTABLEALL
ALTER TABLE .. ENABLE/DISABLETABLEALL
ALTER TABLE .. PARTITION ENABLE/DISABLETABLEALL
ALTER TABLE .. PARTITION.. RENAME TO PARTITIONTABLEALL
MSCK REPAIR TABLETABLEALL
ALTER DATABASEDATABASEALL
DESCRIBE DATABASEDATABASESELECT/INSERT
SHOW COLUMNS-Output for this operation filters columns to which the user does not have explicit SELECT accessTABLESELECT/INSERT
CREATE INDEXTABLEALL
DROP INDEXTABLEALL
SHOW INDEXESTABLESELECT/INSERT
GRANT PRIVILEGEAllowed only for Sentry admin users

REVOKE PRIVILEGEAllowed only for Sentry admin users

SHOW GRANTAllowed only for Sentry admin users

SHOW TBLPROPERTIESTABLESELECT/INSERT
DESCRIBE TABLE .. PARTITIONTABLESELECT/INSERT
ADD JARNot Allowed

ADD FILENot Allowed

DFSNot Allowed

Impala-Only Operations
EXPLAINTABLE; COLUMNSELECT
INVALIDATE METADATASERVERALL
INVALIDATE METADATA
TABLESELECT/INSERT
REFRESH or REFRESH
PARTITION ()
TABLESELECT/INSERT
DROP FUNCTIONSERVERALL
COMPUTE STATSTABLEALL

通过HUE管理Sentry:http://10120275.blog.51cto.com/10110275/1956777


分享名称:【总结】ApacheSentry服务简介
本文来源:http://hbruida.cn/article/gscpdg.html