配置 Hive 用户身份验证

在 Drill 1.1,你可以在 Drill 中启用模拟或者配置认证到 Hive 1.0 版本中去认证,在 Hive 的元数据仓库和 Hive 的数据仓库中访问元数据。模拟允许一个服务执行客户端请求。见 配置用户身份

这里有两种 Hive 认证类型,你可以配置和模拟:基于 SQL 标准和基于存储授权。

基于 SQL 标准认证

在 Drill 1.1 中,你可以配置基于 Hive SQL 标准认证在 Hive 1.1 版本。SQL 标准认证模型能控制用户访问列,行和视图。用户可以通过 Hive 适当的管理权限,由 GRANT 和 REVOKE 命令来管理。

更多信息,见 基于 Hive 认证的标准 SQL

基于存储插件授权

在 Drill 1.1 中,你可以配置 Hive 存储插件在 Hive 1.0 版本中。Hive 存储插件的认证是通过远程的元数据服务的安装功能,元数据使用底层的文件系统权限来确定数据库,表和分区的权限。单元式的读写权限或 ACL,来使用户或组确定对文件系统中的数据访问。因为文件系统控制目录和文件级别的访问权限,所以存储为基础的授权不能在列或视图级别上控制访问数据的访问权限。

通过权限和访问控制在分布式文件系统,你可以管理用户和组的特权。你能通过远程元数据,基于服务器的认证访问数据和元数据。

DDL 语句能够管理权限,例如 GRANT 和 REVOKE,不会影响在存储认证模型的权限。

更多信息,见 元数据上的存储插件认证

配置

一旦确定 Hive 的认证模型,你想要实现,在 Drill 中启用模拟,更新 hive-site.xml,并授权类型的相关属性,修改 Hive 在 Drill 中的存储插件。

先决条件

  • Hive 1.0 安装
  • Drill 1.1 或更新版本的安装
  • Hive 远元数据仓库配置

步骤1:启用 Drill 模拟

在每个 Drill 节点上修改 <DRILL_HOME>/conf/drill-override.conf,设置最大链接跳转数,然后重启 Drillbit 进程。

  1. drill-override.conf 文件中的 drill.exec 模块添加以下属性:
    1. drill.exec: {
    2. cluster-id: "<drill_cluster_name>",
    3. zk.connect: "<hostname>:<port>,<hostname>:<port>,<hostname>:<port>"
    4. impersonation: {
    5. enabled: true,
    6. max_chained_user_hops: 3
    7. }
    8. }
  2. 在每个 Drill 节点上重启 Drillbit 进程:
    1. <DRILLINSTALL_HOME>/bin/drillbit.sh restart

步骤2:更新 hive-site.xml

更新 hive-site.xml 中指定的认证参数,设置完成后重启 Hive。

存储插件认证

在 hive-site.xml 文件中增加以下认证参数,完成存储插件的认证配置:

  1. <name>hive.metastore.pre.event.listeners</name>
  2. <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>
  3. <description>Enables metastore security.</description>
  1. <name>hive.security.metastore.authorization.manager</name>
  2. <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
  3. <description>Tells Hive which metastore-side authorization provider to use. The default setting uses DefaultHiveMetastoreAuthorizationProvider, which implements the standard Hive grant/revoke model. To use an HDFS permission-based model (recommended) for authorization, use StorageBasedAuthorizationProvider.</description>
  1. <name>hive.security.metastore.authenticator.manager</name>
  2. <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
  3. <description>The authenticator manager class name in the metastore for authentication.</description>
  1. <name>hive.security.metastore.authorization.auth.reads</name>
  2. <value>true</value>
  3. <description>When enabled, Hive metastore authorization checks for read access.</description>
  1. <name>hive.metastore.execute.setugi</name>
  2. <value>true</value>
  3. <description>When enabled, this property causes the metastore to execute DFS operations using the client's reported user and group permissions. This property must be set on both the client and server sides. If the cient and server settings differ, the client setting is ignored.</description>
  1. <name>hive.server2.enable.doAs</name>
  2. <value>true</value>
  3. <description>Tells HiveServer2 to execute Hive operations as the user submitting the query. Must be set to true for the storage based model.</description>

hive-site.xml 需要配置的示例如下所示:

  1. <configuration>
  2. <property>
  3. <name>hive.metastore.uris</name>
  4. <value>thrift://10.10.100.120:9083</value>
  5. </property>
  6. <property>
  7. <name>javax.jdo.option.ConnectionURL</name>
  8. <value>jdbc:derby:;databaseName=/opt/hive/hive-1.0/bin/metastore_db;create=true</value>
  9. </property>
  10. <property>
  11. <name>javax.jdo.option.ConnectionDriverName</name>
  12. <value>org.apache.derby.jdbc.EmbeddedDriver</value>
  13. </property>
  14. <property>
  15. <name>hive.metastore.pre.event.listeners</name>
  16. <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>
  17. </property>
  18. <property>
  19. <name>hive.security.metastore.authenticator.manager</name>
  20. <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
  21. </property>
  22. <property>
  23. <name>hive.security.metastore.authorization.manager</name>
  24. <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
  25. </property>
  26. <property>
  27. <name>hive.security.metastore.authorization.auth.reads</name>
  28. <value>true</value>
  29. </property>
  30. <property>
  31. <name>hive.metastore.execute.setugi</name>
  32. <value>true</value>
  33. </property>
  34. <property>
  35. <name>hive.server2.enable.doAs</name>
  36. <value>true</value>
  37. </property>
  38. </configuration>

SQL 标准认证

添加以下需要认证的参数到 hive-site.xml 中去配置 SQL 标准认证:

  1. <name>hive.security.authorization.enabled</name>
  2. <value>true</value>
  3. <description>Enables Hive security authorization.</description>
  1. <name>hive.security.authenticator.manager</name>
  2. <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
  3. <description>Class that implements HiveAuthenticationProvider to provide the client’s username and groups.</description>
<name>hive.security.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
<description>The Hive client authorization manager class name.</description>
<name>hive.server2.enable.doAs</name>
<value>false</value>
<description>Tells HiveServer2 to execute Hive operations as the user submitting the query. Must be set to false for the storage based model. </description>
<name>hive.users.in.admin.role</name>
<value>Set to the list of comma-separated users who need to be added to the admin role.</value>
<description>A comma separated list of users which gets added to the ADMIN role when the metastore starts up. You can add more uses at any time. Note that a user who belongs to the admin role needs to run the "set role" command before getting the privileges of the admin role, as this role is not in the current roles by default.</description>
<name>hive.metastore.execute.setugi</name>
<value>false</value>
<description>In unsecure mode, setting this property to true causes the metastore to execute DFS operations using the client's reported user and group permissions. Note: This property must be set on both the client and server sides. This is a best effort property. If the client is set to true and the server is set to false, the client setting is ignored.</description>

在 hive-site.xml 文件中配置需要的属性用于 SQL 标准认证,示例如下所示:

<configuration>
    <property>
      <name>hive.metastore.uris</name>
      <value>thrift://10.10.100.120:9083</value>    
    </property>

    <property>
      <name>javax.jdo.option.ConnectionURL</name>
      <value>jdbc:derby:;databaseName=/opt/hive/hive-1.0/bin/metastore_db;create=true</value>    
    </property>

    <property>
      <name>javax.jdo.option.ConnectionDriverName</name>
      <value>org.apache.derby.jdbc.EmbeddedDriver</value>    
    </property>  

    <property>
      <name>hive.security.authorization.enabled</name>
      <value>true</value>
    </property>

    <property>
      <name>hive.security.authenticator.manager</name>
      <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
    </property>       

    <property>
      <name>hive.security.authorization.manager</name>   
      <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
    </property>

    <property>
      <name>hive.server2.enable.doAs</name>
      <value>false</value>
    </property>

    <property>
      <name>hive.users.in.admin.role</name>
      <value>user</value>
    </property>

    <property>
      <name>hive.metastore.execute.setugi</name>
      <value>false</value>
    </property>    
   </configuration>

步骤3:修改 Hive 存储插件

在 Drill Web 控制台修改 Hive 存储插件,包含特定的认证设置。你在使用 Web 控制时,Drillbit 服务必须是运行状态。

完成以下步骤来修改 Hive 存储插件:

  1. 定位到 http://<drillbit_hostname>:8047,然后选择 Storage 栏。
  2. 点击 Update 使 Hive 存储插件配置生效。
  3. 在设置窗口,增加设置属性认证类型。
    • 存储认证,增加以下属性:
      {
        type:"hive",
        enabled: true,
        configProps : {
          "hive.metastore.uris" : "thrift://<metastore_host>:<port>",
          "fs.default.name" : "hdfs://<host>:<port>/",
          "hive.metastore.sasl.enabled" : "false",
          "hive.server2.enable.doAs" : "true",
          "hive.metastore.execute.setugi" : "true"
        }
      }
      
    • SQL 标准认证,增加以下属性:
      {
        type:"hive",
        enabled: true,
        configProps : {
          "hive.metastore.uris" : "thrift://<metastore_host>:9083",
          "fs.default.name" : "hdfs://<host>:<port>/",
          "hive.security.authorization.enabled" : "true",
          "hive.security.authenticator.manager" : "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator",
          "hive.security.authorization.manager" : "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory",
          "hive.metastore.sasl.enabled" : "false",
          "hive.server2.enable.doAs" : "false",
          "hive.metastore.execute.setugi" : "false"
        }
      }