Sentry是一個(gè)RPC服務(wù)�,將認(rèn)證元數(shù)據(jù)信息存儲(chǔ)在關(guān)系型數(shù)據(jù)庫(kù)���,并提供RPC接口檢索和操作權(quán)限�。利用Kerveros支持安全訪問(wèn)�。Sentry Service通過(guò)后臺(tái)數(shù)據(jù)庫(kù)存儲(chǔ)提供認(rèn)證元數(shù)據(jù)信息,不處理真實(shí)的權(quán)限驗(yàn)證����,當(dāng)Hive,Impala等服務(wù)的配置使用Sentry權(quán)限的時(shí)候,Hive��,Impala只作為Sentry的client����。
我們提供的服務(wù)有:成都網(wǎng)站設(shè)計(jì)�����、網(wǎng)站建設(shè)����、微信公眾號(hào)開(kāi)發(fā)��、網(wǎng)站優(yōu)化��、網(wǎng)站認(rèn)證���、徐匯ssl等。為成百上千家企事業(yè)單位解決了網(wǎng)站和推廣的問(wèn)題���。提供周到的售前咨詢(xún)和貼心的售后服務(wù)�����,是有科學(xué)管理�����、有技術(shù)的徐匯網(wǎng)站制作公司
最早的Sentry是使用policy file配置權(quán)限����,逐漸版本升級(jí)過(guò)程中�����,目前采用關(guān)系型數(shù)據(jù)庫(kù)存儲(chǔ)權(quán)限角色等����。使用新的Sentry服務(wù)相比于舊的policy file能夠更容易處理用戶(hù)權(quán)限�����,新的Sentry服務(wù)提供了更傳統(tǒng)的 GRANT/REVOKE語(yǔ)句修改權(quán)限���。
早版本Sentry中的策略文件policy file:
[groups]
manager = customers_insert_role,
customers_select_role
analyst = customers_select_role
[roles]
customers_insert_role = server=server1->db=customers->table=*->action=insert
customers_select_role = server=server1->db=customers->table=*->action=select
Sentry歷史版本功能:
Sentry with policy files is added in CDH 5.1.0.
Sentry with config support is added in CDH 5.5.0.
Sentry with database-backed Sentry service is added with CDH 5.8.0.
Sentry中基礎(chǔ)名詞:
1.object Sentry認(rèn)證規(guī)則所保護(hù)的一個(gè)對(duì)象,包括 server, database, table, URI, collection, and config
2.role 訪問(wèn)給定object的規(guī)則集合
3.privilege 包括insert select update等
4.user 來(lái)自于能夠訪問(wèn)Sentry服務(wù)的一個(gè)認(rèn)證系統(tǒng)用戶(hù)��,user可以是Kerberos的principal, LDAP的userid��,或其他認(rèn)證系統(tǒng)的標(biāo)識(shí)
5.group 組��,一個(gè)或者多個(gè)用戶(hù)的集合���,Sentry中將role分配給group����,一個(gè)組就相應(yīng)擔(dān)當(dāng)某個(gè)角色
6.A configured group provider determines a user’s affiliation with a group. The current release supports HDFS-backed groups and locally configured groups.
| Privilege | Object |
| INSERT | DB, TABLE |
| SELECT | SERVER, DB, TABLE, COLUMN |
| UPDATE | COLLECTION, CONFIG |
| QUERY | COLLECTION, CONFIG |
| ALL | SERVER, TABLE, DB, URI, COLLECTION, CONFIG |
Sentry權(quán)限模型:
Sentry使用基于角色權(quán)限模型����,有如下特征
1���、允許所有用戶(hù)執(zhí)行show functions���,show locks等
2�����、允許用戶(hù)看到那些有權(quán)限的tables,databases,collections��,configs等
3�����、HiveQL執(zhí)行例如LOAD����,IMPORT等操作����,需要用戶(hù)有相應(yīng)URI的權(quán)限
4、賦予一個(gè)URI某個(gè)權(quán)限��,其子目錄也遞歸賦予這個(gè)權(quán)限����,所以只需將權(quán)限grant給一個(gè)父目錄
5��、CDH 5.5引入Column級(jí)別的訪問(wèn)控制��,之前版本的如果要控制到列級(jí)別訪問(wèn)����,使用View�,創(chuàng)建一個(gè)只包含有訪問(wèn)權(quán)限Column的View
Tips
Hive中使用Sentry的時(shí)候,必須使用Beeline方式執(zhí)行查詢(xún)����,Hive Cli方式不支持Sentry
Hive On Sentry中Object層級(jí)結(jié)構(gòu)關(guān)系
權(quán)限能夠賦予層級(jí)中的不同的object,一個(gè)權(quán)限如果賦予層級(jí)中一個(gè)object��,則這個(gè)object子層級(jí)中的object繼承這個(gè)權(quán)限���。
比如賦予DATABASE的SELECT權(quán)限給用戶(hù)A�,則用戶(hù)A擁有DATABASE下所有Object的SELECT權(quán)限
權(quán)限類(lèi)型和Object的對(duì)應(yīng)關(guān)系
| Privilege | Object |
| INSERT | DB, TABLE |
| SELECT | DB, TABLE, VIEW, COLUMN |
| ALL | SERVER, TABLE, DB, URI |
權(quán)限層級(jí)
| Base Object | Granular privileges on object | Container object that contains the base object | Privileges on container object that implies privileges on the base object |
| DATABASE | ALL | SERVER | ALL |
| TABLE | INSERT | DATABASE | ALL |
| TABLE | SELECT | DATABASE | ALL |
| COLUMN | SELECT | DATABASE | ALL |
| VIEW | SELECT | DATABASE | ALL |
Hive&Impala操作權(quán)限表
| Operation | Scope | Privileges Required | URI |
| CREATE DATABASE | SERVER | ALL |
|
| DROP DATABASE | DATABASE | ALL |
|
| CREATE TABLE | DATABASE | ALL |
|
| DROP TABLE | TABLE | ALL |
|
| CREATE VIEW-This operation is allowed if you have column-level SELECTaccess to the columns being used. | DATABASE; SELECT on TABLE; | ALL |
|
| ALTER VIEW-This operation is allowed if you have column-level SELECTaccess to the columns being used. | VIEW/TABLE | ALL |
|
| DROP VIEW | VIEW/TABLE | ALL |
|
| ALTER TABLE .. ADD COLUMNS | TABLE | ALL |
|
| ALTER TABLE .. REPLACE COLUMNS | TABLE | ALL |
|
| ALTER TABLE .. CHANGE column | TABLE | ALL |
|
| ALTER TABLE .. RENAME | TABLE | ALL |
|
| ALTER TABLE .. SET TBLPROPERTIES | TABLE | ALL |
|
| ALTER TABLE .. SET FILEFORMAT | TABLE | ALL |
|
| ALTER TABLE .. SET LOCATION | TABLE | ALL | URI |
| ALTER TABLE .. ADD PARTITION | TABLE | ALL |
|
| ALTER TABLE .. ADD PARTITION location | TABLE | ALL | URI |
| ALTER TABLE .. DROP PARTITION | TABLE | ALL |
|
| ALTER TABLE .. PARTITION SET FILEFORMAT | TABLE | ALL |
|
| SHOW CREATE TABLE | TABLE | SELECT/INSERT |
|
| SHOW PARTITIONS | TABLE | SELECT/INSERT |
|
| SHOW TABLES-Output includes all the tables for which the user has table-level privileges and all the tables for which the user has some column-level privileges. | TABLE | SELECT/INSERT |
|
| SHOW GRANT ROLE-Output includes an additional field for any column-level privileges. | TABLE | SELECT/INSERT |
|
| DESCRIBE TABLE-Output shows all columns if the user has table level-privileges or SELECT privilege on at least one table column | TABLE | SELECT/INSERT |
|
| LOAD DATA | TABLE | INSERT | URI |
SELECT-You can grant the SELECT privilege on a view to give users access to specific columns of a table they do not otherwise have access to.
-See Column-level Authorization for details on allowed column-level operations. | VIEW/TABLE; COLUMN | SELECT |
|
| INSERT OVERWRITE TABLE | TABLE | INSERT |
|
| CREATE TABLE .. AS SELECT-This operation is allowed if you have column-level SELECTaccess to the columns being used. | DATABASE; SELECT on TABLE | ALL |
|
| USE | Any |
|
|
| CREATE FUNCTION | SERVER | ALL |
|
| ALTER TABLE .. SET SERDEPROPERTIES | TABLE | ALL |
|
| ALTER TABLE .. PARTITION SET SERDEPROPERTIES | TABLE | ALL |
|
| Hive-Only Operations |
| INSERT OVERWRITE DIRECTORY | TABLE | INSERT | URI |
| Analyze TABLE | TABLE | SELECT + INSERT |
|
| IMPORT TABLE | DATABASE | ALL | URI |
| EXPORT TABLE | TABLE | SELECT | URI |
| ALTER TABLE TOUCH | TABLE | ALL |
|
| ALTER TABLE TOUCH PARTITION | TABLE | ALL |
|
| ALTER TABLE .. CLUSTERED BY SORTED BY | TABLE | ALL |
|
| ALTER TABLE .. ENABLE/DISABLE | TABLE | ALL |
|
| ALTER TABLE .. PARTITION ENABLE/DISABLE | TABLE | ALL |
|
| ALTER TABLE .. PARTITION.. RENAME TO PARTITION | TABLE | ALL |
|
| MSCK REPAIR TABLE | TABLE | ALL |
|
| ALTER DATABASE | DATABASE | ALL |
|
| DESCRIBE DATABASE | DATABASE | SELECT/INSERT |
|
| SHOW COLUMNS-Output for this operation filters columns to which the user does not have explicit SELECT access | TABLE | SELECT/INSERT |
|
| CREATE INDEX | TABLE | ALL |
|
| DROP INDEX | TABLE | ALL |
|
| SHOW INDEXES | TABLE | SELECT/INSERT |
|
| GRANT PRIVILEGE | Allowed only for Sentry admin users |
|
|
| REVOKE PRIVILEGE | Allowed only for Sentry admin users |
|
|
| SHOW GRANT | Allowed only for Sentry admin users |
|
|
| SHOW TBLPROPERTIES | TABLE | SELECT/INSERT |
|
| DESCRIBE TABLE .. PARTITION | TABLE | SELECT/INSERT |
|
| ADD JAR | Not Allowed |
|
|
| ADD FILE | Not Allowed |
|
|
| DFS | Not Allowed |
|
|
| Impala-Only Operations |
| EXPLAIN | TABLE; COLUMN | SELECT |
|
| INVALIDATE METADATA | SERVER | ALL |
|
INVALIDATE METADATA | TABLE | SELECT/INSERT |
| REFRESH or REFRESH PARTITION ()| TABLE | SELECT/INSERT |
| | DROP FUNCTION | SERVER | ALL |
| | COMPUTE STATS | TABLE | ALL |
| 通過(guò)HUE管理Sentry:http://10120275.blog.51cto.com/10110275/1956777
網(wǎng)站名稱(chēng):【總結(jié)】ApacheSentry服務(wù)簡(jiǎn)介
分享URL:http://weahome.cn/article/gscpdg.html
|
|
重慶分公司
重慶分公司
