需要为哨兵禁用HiveServer2模拟 [英] Need of disabling HiveServer2 Impersonation for sentry

问题描述

我已经通过Sentry配置了Hive授权，并进行了所有必要的更改。其中一个变化是通过设置以下属性禁用HiveServer2模拟：

I have configured the Hive Authorization though Sentry and did all the needed changes. One of the change is to Disable HiveServer2 Impersonation by setting below property:

hive.server2.enable.doAs to false

这是Sentry的强制性要求，请参阅cloudera Doc 这里。那么有什么需要这么做呢，因为它对商业智能工具来说是一个非常标准的要求。其中一个用户将启动该应用程序，并将模拟登录的用户。请让我知道是否有某些方面，我缺少，由于这种限制是必要的。

This is mandatory requirement for Sentry as mention in cloudera Doc here. So what is the need for doing that as it is a very standard requirements wrt BI tools. Where one user will be launching the application and that will be impersonating the logged in user. Please let me know if there is some aspect which i am missing due to this restriction is needed.

推荐答案

在这种情况下关闭模拟表明查询将作为配置单元用户运行。实际上，管理此查询的表的Hive仓库中的底层HDFS目录将由配置单元用户拥有。但是，访问控制列表（ACL）将授权真实用户对底层HDFS文件执行读取，写入和/或执行操作。此外，真实用户将有权对表格中的表格或列进行操作。 ACL和表/列授权构成了所谓的Sentry策略。由于该策略是Hive查询执行的一部分，因此不需要模拟真实用户。考虑Sentry策略文件是一个RBAC（即基于角色的访问控制）权限集。有了这些权限，就不需要模仿了。

Impersonation turned off in this case suggests that the query will run as the hive user. In fact, the underlying HDFS directory within the Hive warehouse managing the table(s) for this query will be owned by the hive user. However, an Access Control List (ACL) will entitle the 'real' user to perform read, write, and/or execute operations against the underlying HDFS file. Also, the 'real' user will be entitled to operations against the table or columns within the table. The ACLs and the table/column entitlements constitute what's called the Sentry policy. Since that policy is in place as part of the Hive query execution, there is no need to impersonate the 'real' user. Consider the Sentry policy file to be an RBAC (i.e. role-based access control) permission set. With those permissions in place, impersonation is not needed.

这篇关于需要为哨兵禁用HiveServer2模拟的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！