hive创建角色并赋权
生活随笔
收集整理的這篇文章主要介紹了
hive创建角色并赋权
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
1 角色管理命令
1.1 創(chuàng)建角色
創(chuàng)建一個(gè)新角色,需要 admin 用戶執(zhí)行
CREATE ROLE role_name; --示例:創(chuàng)建名為bigdata_admin_role的角色 CREATE ROLE bigdata_admin_role; <!--如果沒(méi)有執(zhí)行hive權(quán)限配置需要修改hive-site.xml文件,然后重新啟動(dòng)--> <property> <name>hive.security.authorization.enabled</name> <value>true</value> </property> <property> <name>hive.security.authorization.createtable.owner.grants</name> <value>ALL</value> </property> <property> <name>hive.security.authorization.task.factory</name> <value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value> </property>1.2 刪除角色
刪除一個(gè)角色,需要 admin 用戶執(zhí)行
DROP ROLE role_name; --示例:刪除名為bigdata_admin_role的角色 DROP ROLE bigdata_admin_role1.3 顯示當(dāng)前角色
顯示用戶當(dāng)前角色列表
SHOW CURRENT ROLES;1.4 設(shè)定角色
如果指定了role_name,則該角色將成為當(dāng)前角色中的唯一角色
將Role_Name設(shè)置為All將刷新當(dāng)前角色的列表(在新角色被授予用戶的情況下),并將其設(shè)置為默認(rèn)的角色列表。
將Role_Name設(shè)置為None將從當(dāng)前用戶中刪除所有當(dāng)前角色。
1.5 顯示角色
列出所有當(dāng)前存在的角色。
只有admin角色對(duì)此有特權(quán)。
2 權(quán)限管理
2.1 將角色賦權(quán)給其他角色/用戶/用戶組
即,其他角色/用戶/用戶組將擁有該角色所擁有的權(quán)限
賦權(quán)/撤銷(xiāo)語(yǔ)法
將一個(gè)或多個(gè)角色授予其他角色或用戶。
如果指定了“WITH ADMIN OPTION”,則用戶將獲得將該角色授予其他用戶/角色的權(quán)限。
如果授予語(yǔ)句最終在角色之間創(chuàng)建循環(huán)關(guān)系,則該命令將失敗并出現(xiàn)錯(cuò)誤。
從FROM子句中的用戶/角色中撤消角色的成員權(quán)限。
REVOKE [ADMIN OPTION FOR] role_name [, role_name] ...FROM principal_specification [, principal_specification] ... ;principal_specificationUSER user| GROUP group| ROLE role--示例:將bigdata_admin_role角色的權(quán)限從用戶bigdata_admin中移除GRANT ROLE bigdata_admin_role FROM USER bigdata_admin;--示例:將bigdata_admin_role角色的權(quán)限給從用戶組bigdata_admin_g中移除GRANT ROLE bigdata_admin_role FROM bigdata_admin_g;2.2 將數(shù)據(jù)庫(kù)/表賦權(quán)給角色
對(duì)數(shù)據(jù)庫(kù)/表或視圖賦權(quán),包括 ALL/ALTER/UPDATE/CREATE/DROP/INDEX/LOCK/SELECT/SHOW_DATABASE 權(quán)限,也可以通過(guò)指定某張表的那些列有哪些權(quán)限。
GRANTpriv_type [(column_list)][, priv_type [(column_list)]] ...[ON object_specification]TO principal_specification [, principal_specification] ...[WITH GRANT OPTION]REVOKE [GRANT OPTION FOR]priv_type [(column_list)][, priv_type [(column_list)]] ...[ON object_specification]FROM principal_specification [, principal_specification] ... REVOKE all on bigdata_db.test from REVOKE ALL PRIVILEGES, GRANT OPTIONFROM user [, user] ...priv_type:ALL | ALTER | UPDATE | CREATE | DROP| INDEX | LOCK | SELECT | SHOW_DATABASE object_specification:TABLE tbl_name| DATABASE db_nameprincipal_specification:USER user| GROUP group| ROLE role--示例:將數(shù)據(jù)庫(kù)bigdata_db的所有權(quán)限賦給bigdata_admin_role角色 GRANT ALL ON DATABASE bigdata_db TO ROLE bigdata_admin_role; --示例:將表bigdata_db.test的select權(quán)限賦給bigdata_read_role角色 GRANT SELECT ON TABLE bigdata_db.test TO ROLE bigdata_read_role; --示例:將表bigdata_db.test的select權(quán)限賦從bigdata_read_role角色移除 GRANT SELECT ON TABLE bigdata_db.test FROM ROLE role_read_cl;如果授予用戶對(duì)表或視圖的WITH GRANT OPTION特權(quán),則該用戶還可以賦權(quán)/撤消其他用戶的特權(quán)以及這些對(duì)象上的角色。
2.3 顯示權(quán)限
SHOW GRANT [principal_specification] ON (ALL | [TABLE] table_or_view_name);principal_specification: USER user| ROLE role2.4 管理對(duì)象權(quán)限的示例
示例:創(chuàng)建用戶bigdata_admin并指定用戶組bigdata_admin_g,創(chuàng)建hive角色bigdata_admin_role,創(chuàng)建數(shù)據(jù)庫(kù)bigdata_db,指定bigdata_admin_role角色擁有bigdata_db所有權(quán)限,并將bigdata_admin_role的權(quán)限給到bigdata_admin_g用戶組:
#shell腳本內(nèi)容:#1.創(chuàng)建一個(gè)‘用戶組’,bigdata_admin_g,語(yǔ)法:groupadd [用戶組名]groupadd bigdata_admin_g#2.創(chuàng)建一個(gè)‘用戶’,bigdata_admin指定用戶組為bigdata_admin_g,語(yǔ)法:useradd -m -g [用戶組名] [用戶名]useradd -m -g bigdata_admin_g bigdata_admin#3.檢查用戶組和用戶創(chuàng)建情況,語(yǔ)法:id [用戶名]id bigdata_admin#返回以下內(nèi)容表示創(chuàng)建成功uid=1003(bigdata_admin) gid=1003(bigdata_admin_g) groups=1003(bigdata_admin_g)#4.創(chuàng)建Hadoop用戶路徑,設(shè)置路徑權(quán)限及空間大小hadoop fs -mkdir /user/bigdata_adminhadoop fs -chown bigdata_admin/bigdata_admin_g /user/bigdata_adminhadoop fs -chmod 711 /user/bigdata_adminhadoop fs -setfacl -R -m group:bigdata_admin_g:rwx /user/bigdata_adminhadoop fs -setfacl -R -m default:group:bigdata_admin_g:rwx /user/bigdata_adminhadoop fs -setfacl -R -m default:user::rwx /user/bigdata_adminhadoop fs -setfacl -R -m default::--- /user/bigdata_adminhadoop fs -setfacl -R -m default::--- /user/bigdata_adminhdfs dfsadmin -setSpaceQuota 10g /user/bigdata_admin --SQL腳本內(nèi)容:--1.創(chuàng)建數(shù)據(jù)庫(kù) bigdata_db,以下為SQL語(yǔ)法CREATE DATABASE bigdata_db;--2.創(chuàng)建名為bigdata_admin_role的角色CREATE ROLE bigdata_admin_role;--3.將數(shù)據(jù)庫(kù)bigdata_db的所有權(quán)限賦給bigdata_admin_role角色 GRANT ALL ON DATABASE bigdata_db TO ROLE bigdata_admin_role;--4.將bigdata_admin_role角色的權(quán)限給到bigdata_g,即,bigdata_g組內(nèi)的用戶擁有操作數(shù)據(jù)庫(kù)bigdata_db的所有權(quán)限GRANT ROLE bigdata_admin_role TO GROUP bigdata_g;--5.將集群路徑所有權(quán)限賦權(quán)給bigdata_admin_role角色GRANT ALL ON URI 'hdfs://nameservice/user/bigdata' TO bigdata_admin_role;示例:創(chuàng)建用戶bigdata_read并指定用戶組bigdata_read_g,創(chuàng)建hive角色bigdata_read_role,指定bigdata_read_role角色擁有bigdata_db的select權(quán)限,并將bigdata_read_role的權(quán)限給到bigdata_admin_g用戶組:
--SQL腳本內(nèi)容:--1.創(chuàng)建名為bigdata_read_role的角色CREATE ROLE bigdata_read_role;--2.將數(shù)據(jù)庫(kù)bigdata_db的所有權(quán)限賦給bigdata_read_role角色 GRANT SELECT ON DATABASE bigdata_db TO ROLE bigdata_read_role;--3.將bigdata_read_role角色的權(quán)限給到bigdata_g,即,bigdata_g組內(nèi)的用戶擁有操作數(shù)據(jù)庫(kù)bigdata_db的所有權(quán)限GRANT ROLE bigdata_read_role TO GROUP bigdata_g;2.5 顯示角色授予
principal_name是用戶或角色的名稱。
列出已授予給定用戶或角色的所有角色。
示例:
0: jdbc:hive2://localhost:10000> SHOW ROLE GRANT USER user1; +---------+---------------+----------------+----------+ | role | grant_option | grant_time | grantor | +---------+---------------+----------------+----------+ | public | false | 0 | | | role1 | false | 1398284083000 | uadmin | +---------+---------------+----------------+----------+2.6 列出所有角色和屬于該角色的用戶
僅admin角色對(duì)此具有特權(quán)。
SHOW PRINCIPALS role_name;示例:
0: jdbc:hive2://localhost:10000> SHOW PRINCIPALS role1; +-----------------+-----------------+---------------+----------+---------------+----------------+ | principal_name | principal_type | grant_option | grantor | grantor_type | grant_time | +-----------------+-----------------+---------------+----------+---------------+----------------+ | role2 | ROLE | false | uadmin | USER | 1398285926000 | | role3 | ROLE | true | uadmin | USER | 1398285946000 | | user1 | USER | false | uadmin | USER | 1398285977000 | +-----------------+-----------------+---------------+----------+---------------+----------------+找出用戶ashutosh對(duì)表hivejiratable擁有的特權(quán):
0: jdbc:hive2://localhost:10000> show grant user ashutosh on table hivejiratable; +-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor | +-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ | default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas | | default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas | +-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+找出用戶ashutosh對(duì)所有對(duì)象具有的特權(quán):
0: jdbc:hive2://localhost:10000> show grant user ashutosh on all; +-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor | +-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ | default | hivecontributors | | | ashutosh | USER | DELETE | false | 1398303576000 | thejas | | default | hivecontributors | | | ashutosh | USER | INSERT | false | 1398303576000 | thejas | | default | hivecontributors | | | ashutosh | USER | SELECT | false | 1398303576000 | thejas | | default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas | | default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas | +-----------+-------------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+找出所有用戶對(duì)表hivejiratable擁有的特權(quán):
0: jdbc:hive2://localhost:10000> show grant on table hivejiratable; +-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor | +-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+ | default | hivejiratable | | | ashutosh | USER | DELETE | false | 1398303419000 | thejas | | default | hivejiratable | | | ashutosh | USER | SELECT | false | 1398303407000 | thejas | | default | hivejiratable | | | navis | USER | INSERT | false | 1398303650000 | thejas | | default | hivejiratable | | | navis | USER | SELECT | false | 1398303650000 | thejas | | default | hivejiratable | | | public | ROLE | SELECT | false | 1398303481000 | thejas | | default | hivejiratable | | | thejas | USER | DELETE | true | 1398303380000 | thejas | | default | hivejiratable | | | thejas | USER | INSERT | true | 1398303380000 | thejas | | default | hivejiratable | | | thejas | USER | SELECT | true | 1398303380000 | thejas | | default | hivejiratable | | | thejas | USER | UPDATE | true | 1398303380000 | thejas | +-----------+----------------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+總結(jié)
以上是生活随笔為你收集整理的hive创建角色并赋权的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 李狗蛋和二狗子因为HTTP or RPC
- 下一篇: GAN 简介