EMR上Hive ACL配置

• hive-site.xml配置（配置中设置了hadoop为admin用户）：

<property>
	<name>hive.security.authorization.enabled</name>
	<value>true</value>
</property>
<property>
	<name>hive.server2.enable.doAs</name>
	<value>false</value>
</property>
<property>
	<name>hive.users.in.admin.role</name>
	<value>hadoop</value>
</property>
<property>
	<name>hive.security.metastore.authorization.manager</name>
	<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly</value>
</property>
<property>
	<name>hive.security.metastore.authenticator.manager</name>
	<value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
</property>
<property>
	<name>hive.security.authorization.manager</name>
	<value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory</value>
</property>

• hiveserver2-site.xml配置：

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration>
	<property>
		<name>hive.security.authorization.manager</name>
		<value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
	</property>

	<property>
		<name>hive.security.authorization.enabled</name>
		<value>true</value>
	</property>

	<property>
		<name>hive.security.authenticator.manager</name>
		<value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
	</property>
</configuration>

• 重启hiveserver2

到目前为止，hive就已经支持acl功能了。现在来看看如果使用acl功能（常用命令）。

• beeline登录hive（使用admin账号：hadoop）：

beeline -u "jdbc:hive2://localhost:7001/" -n hadoop

• 切换当前用户为admin权限：set role admin;
• 角色命令： 创建角色：create role role_name; 查看角色：drop role role_name; 删除角色：drop role role_name;
• 角色权限命令： 给角色设置权限：grant select on table table_name to role role_name; 解除：revoke select on table table_name from role role_name; 查看角色的权限：show grant role role_name on table table_name;
• 权限包含： 1.SELECT：赋予读取某个对象的权限 2.INSERT：赋予添加数据至某个对象（表）的权限 3.UPDATE：赋予在某个对象（表）上执行更新操作的权限； 4.DELETE：赋予在某个对象（表）上删除数据的权限； 5.ALL：赋予在某个对象上的所有权限（被转换成拥有上面四个权限）
• 角色用户命令： 给用户分配角色：grant role_name to USER user_name; 解除使用：revoke role_name from USER user_name; 查询用户有什么角色：show role grant user user_name; 查看角色下有哪些用户：show principals role_name;

目前为止，大概知道了如果使用hive的acl了，接下来实际给个例子，使用acl：

=====创建表及数据 create table if not exists table1 (name string) ROW FORMAT DELIMITED FIELDS TERMINATED BY ','; create table if not exists table2 (name string) ROW FORMAT DELIMITED FIELDS TERMINATED BY ','; create table if not exists table3 (name string) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',';

insert into table1 values ('t1-1'),('t1-2'); insert into table2 values ('t2-1'),('t2-2'); insert into table3 values ('t3-1'),('t3-2'); ========权限设计 1. 数据组（dev可读可写tabel1和table2），运营组（om可读table1和table2），boss组（可读table1、table2和table3，同时可写table3） 2. 给dev_1用户分配dev的role，给om_1分配om的role，给boss_1分配boss的role

=======实操 利用hadoop登录：beeline -u "jdbc:hive2://localhost:7001/" -n hadoop 切换admin角色：set role admin; 创建角色： create role dev; create role om; create role boss; show roles;

角色分配权限： grant ALL on table table1 to role dev; grant ALL on table table2 to role dev; grant select on table table1 to role om; grant select on table table2 to role om; grant select on table table1 to role boss; grant select on table table2 to role boss; grant ALL on table table3 to role boss; show grant role dev on table table1; show grant role om on table table1; show grant role boss on table table1; show grant role dev on table table2; show grant role om on table table2; show grant role boss on table table2; show grant role dev on table table3; show grant role om on table table3; show grant role boss on table table3;

让用户绑定角色： grant dev to USER dev_1; grant om to USER om_1; grant boss to USER boss_1; show role grant user dev_1; show role grant user om_1; show role grant user boss_1;