配置Sentry为不同的用户显示/隐藏不同的数据库 [英] Configure Sentry to show/hide different databases for different users

问题描述

我有一个使用cdh-5.7.0运行的群集，并配置了以下设置：

• hadoop with kerberos


• hive使用LDAP身份验证


• hive使用哨兵授权（存储在JDBC derby中的规则）
  
  
  

  我的目标是限制用户查看我的系统中存在哪些数据库。
  例如：
  
  

  
  
  • 执行 show databases 时，用户A应该只能看到数据库DB- code>
  
  
  • 当执行 show databases
  $ b $时，User-B应只能看到数据库DB-B b
  
  
  

  我按照文章 https://blog.cloudera.com/blog/2013/12/how-to-get-started-with-sentry-in-hive/ 做到这一点。但没有成功。
  我所取得的成绩是
  
  

  
  
  • 用户A只能从DB-A中选择表格，而不能从DB-B中选择表格。 / li>
    
  • 用户B只能从DB-B中选择表格，而不能从DB-A中选择表格。
    
  
  
  

  但执行 show databases 时，仍然可以看到DB-A和DB-B。但我想避免这种情况。

  
  
  

  您的任何提示如何使用规则或设置来运行？
  
  

  感谢
  Marko
  

  解决方案

  根据您的描述和我从现有设置中学到的知识， +您需要将以下属性添加到 hive-site.xml 中：

   <性> 
  < name> hive.metastore.filter.hook< / name> 
  < value> org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook< / value> 
  < / property> 
    

  即使您使用CDH 5.7， MapR 5文档提供了一些上下文。以及哨兵服务互动的。
  
  

  重新启动Hive服务后，您应该能够看到您期待的结果。
  

  I have a cluster running with cdh-5.7.0 and configured the following setup

  • hadoop with kerberos
  • hive with LDAP authentication
  • hive with sentry authorization (rules stored in JDBC derby)

  My goal is to restrict users to see which databases exist in my system. E.g.:

  • User-A should only see database DB-A when execute show databases
  • User-B should only see database DB-B when execute show databases

  I followed the article https://blog.cloudera.com/blog/2013/12/how-to-get-started-with-sentry-in-hive/ to make that happen. But without success. What I achieved was that

  • User-A can only select tables from DB-A and not from DB-B.
  • User-B can only select tables from DB-B and not from DB-A.

  But both can still see DB-A and DB-B when executing show databases. But i want to avoid this.

  Any hints from you how the rules or the setup could looks like to get that running?

  Thanks Marko

  解决方案

  According your description and from what I've learned from existing setups, in case of Sentry v1.6+ you need to add the following property to your hive-site.xml:

  <property>
    <name>hive.metastore.filter.hook</name>
    <value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value>
  </property>
  

  Even if you are on CDH 5.7, the MapR 5 documentation is providing some context. As well Sentry Service Interactions.

  After re-starting the Hive service you should be able to see the result which you are expecting.

  这篇关于配置Sentry为不同的用户显示/隐藏不同的数据库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！