FAQ
I use rpm to install cdh and hive with kerberos ,and they are working well.

Now I am configuring sentry for hive:

hive-site.xml:
<property>
   <name>javax.jdo.option.ConnectionURL</name>
   <value>jdbc:mysql://xxxxx/metastore</value>
   <description>the URL of the MySQL database</description>
</property>

<property>
   <name>javax.jdo.option.ConnectionDriverName</name>
   <value>com.mysql.jdbc.Driver</value>
</property>

<property>
   <name>javax.jdo.option.ConnectionUserName</name>
   <value>hive</value>
</property>

<property>
   <name>javax.jdo.option.ConnectionPassword</name>
   <value>xxxxx</value>
</property>

<property>
   <name>datanucleus.autoCreateSchema</name>
   <value>false</value>
</property>

<property>
   <name>datanucleus.fixedDatastore</name>
   <value>true</value>
</property>

<property>
   <name>datanucleus.autoStartMechanism</name>
   <value>SchemaTable</value>
</property>

<!--
<property>
   <name>hive.metastore.uris</name>
   <value>xxxxxxxxx</value>
   <description>IP address (or fully-qualified domain name) and port of the metastore host</description>
</property>
-->

<property>
   <name>hive.support.concurrency</name>
   <description>Enable Hive's Table Lock Manager Service</description>
   <value>true</value>
</property>

<property>
   <name>hive.zookeeper.quorum</name>
   <description>Zookeeper quorum used by Hive's Table Lock Manager</description>
   <value>xxxxxxxxxxxx</value>
</property>


<property>
   <name>hive.server2.enable.impersonation</name>
   <description>Enable user impersonation for HiveServer2</description>
   <value>false</value>
</property>


<property>
   <name>hive.server2.authentication</name>
   <value>KERBEROS</value>
</property>
<property>
   <name>hive.server2.authentication.kerberos.principal</name>
   <value>hive/_HOST@EXAMPLE.COM</value>
</property>
<property>
   <name>hive.server2.authentication.kerberos.keytab</name>
   <value>/etc/hive/conf/hive.keytab</value>
</property>

<property>
   <name>hive.metastore.sasl.enabled</name>
   <value>true</value>
   <description>If true, the metastore thrift interface will be secured with SASL. Clients must authenticate with Kerberos.
   </description>
</property>
<property>
   <name>hive.metastore.kerberos.keytab.file</name>
   <value>/etc/hive/conf/hive.keytab</value>
   <description>The path to the Kerberos Keytab file containing the metastore thrift server's serv ice principal.
   </description>
</property>
<property>
   <name>hive.metastore.kerberos.principal</name>
   <value>hive/_HOST@EXAMPLE.COM</value>
   <description>The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct host name.
   </description>
</property>

<!-- sentry enable -->
<property>
<name>hive.server2.session.hook</name>
<value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value>
</property>

<property>
<name>hive.sentry.conf.url</name>
<value>/etc/hive/conf</value>
<description>sentry-site.xml file location</description>
</property>

sentry-site.xml:
[users]
lixiang = lixiang

<configuration>
   <property>
     <name>hive.sentry.provider</name>
     <value>org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider</value>
   </property>

   <property>
     <name>hive.sentry.provider.resource</name>
     <value>hdfs://xxxxx:49000/user/hive/sentry/sentry-provider.ini</value>
     <!--
        If the hdfs-site.xml points to HDFS, the path will be in HDFS;
        alternatively you could specify a full path, e.g.:
        hdfs://namenode:port/path/to/authz-provider.ini
        file:///path/to/authz-provider.ini
     -->
   </property>

   <property>
     <name>hive.sentry.server</name>
     <value>server1</value>
   </property>
</configuration>

hdfs --> /user/hive/sentry/sentry-provider.ini:
[databases]
customers = hdfs://xxxxx/user/hive/sentry/customers.ini
[groups]
admin = admin_role

[roles]
admin_role = server=server1->db=*
admin_role = server=server1

hdfs --> /user/hive/sentry/customers.ini:
[groups]
lixiang = customers_select_role

[roles]
customers_insert_role = server=server1->db=customers->table=*->action=insert
customers_select_role = server=server1->db=customers->table=student->action=select

-------------------------------------------------------------------------------------------
Are they OK?

When I addprinc a user called lixiang, and adduser a user called lixiang at Linux,and I execute 'load data' command into customers.student table ,why there is nothing wrong with it?

To unsubscribe from this group and stop receiving emails from it, send an email to scm-users+unsubscribe@cloudera.org.

Search Discussions

  • bc Wong at Oct 31, 2013 at 7:46 am
    Adding cdh-user; bcc: scm-users

    On Thu, Oct 31, 2013 at 12:36 AM, david1990111@163.com wrote:

    **
    I use rpm to install cdh and hive with kerberos ,and they are working well.

    Now I am configuring sentry for hive:

    hive-site.xml:
    <property>
    <name>javax.jdo.option.ConnectionURL</name>
    <value>jdbc:mysql://xxxxx/metastore</value>
    <description>the URL of the MySQL database</description>
    </property>

    <property>
    <name>javax.jdo.option.ConnectionDriverName</name>
    <value>com.mysql.jdbc.Driver</value>
    </property>

    <property>
    <name>javax.jdo.option.ConnectionUserName</name>
    <value>hive</value>
    </property>

    <property>
    <name>javax.jdo.option.ConnectionPassword</name>
    <value>xxxxx</value>
    </property>

    <property>
    <name>datanucleus.autoCreateSchema</name>
    <value>false</value>
    </property>

    <property>
    <name>datanucleus.fixedDatastore</name>
    <value>true</value>
    </property>

    <property>
    <name>datanucleus.autoStartMechanism</name>
    <value>SchemaTable</value>
    </property>

    <!--
    <property>
    <name>hive.metastore.uris</name>
    <value>xxxxxxxxx</value>
    <description>IP address (or fully-qualified domain name) and port of the
    metastore host</description>
    </property>
    -->

    <property>
    <name>hive.support.concurrency</name>
    <description>Enable Hive's Table Lock Manager Service</description>
    <value>true</value>
    </property>

    <property>
    <name>hive.zookeeper.quorum</name>
    <description>Zookeeper quorum used by Hive's Table Lock
    Manager</description>
    <value>xxxxxxxxxxxx</value>
    </property>


    <property>
    <name>hive.server2.enable.impersonation</name>
    <description>Enable user impersonation for HiveServer2</description>
    <value>false</value>
    </property>


    <property>
    <name>hive.server2.authentication</name>
    <value>KERBEROS</value>
    </property>
    <property>
    <name>hive.server2.authentication.kerberos.principal</name>
    <value>hive/_HOST@EXAMPLE.COM</value>
    </property>
    <property>
    <name>hive.server2.authentication.kerberos.keytab</name>
    <value>/etc/hive/conf/hive.keytab</value>
    </property>

    <property>
    <name>hive.metastore.sasl.enabled</name>
    <value>true</value>
    <description>If true, the metastore thrift interface will be secured
    with SASL. Clients must authenticate with Kerberos.
    </description>
    </property>
    <property>
    <name>hive.metastore.kerberos.keytab.file</name>
    <value>/etc/hive/conf/hive.keytab</value>
    <description>The path to the Kerberos Keytab file containing the
    metastore thrift server's serv ice principal.
    </description>
    </property>
    <property>
    <name>hive.metastore.kerberos.principal</name>
    <value>hive/_HOST@EXAMPLE.COM</value>
    <description>The service principal for the metastore thrift server. The
    special string _HOST will be replaced automatically with the correct host
    name.
    </description>
    </property>

    <!-- sentry enable -->
    <property>
    <name>hive.server2.session.hook</name>
    <value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value>
    </property>

    <property>
    <name>hive.sentry.conf.url</name>
    <value>/etc/hive/conf</value>
    <description>sentry-site.xml file location</description>
    </property>

    sentry-site.xml:
    [users]
    lixiang = lixiang

    <configuration>
    <property>
    <name>hive.sentry.provider</name>

    <value>org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider</value>
    </property>

    <property>
    <name>hive.sentry.provider.resource</name>
    <value>hdfs://xxxxx:49000/user/hive/sentry/sentry-provider.ini</value>
    <!--
    If the hdfs-site.xml points to HDFS, the path will be in HDFS;
    alternatively you could specify a full path, e.g.:
    hdfs://namenode:port/path/to/authz-provider.ini
    file:///path/to/authz-provider.ini
    -->
    </property>

    <property>
    <name>hive.sentry.server</name>
    <value>server1</value>
    </property>
    </configuration>

    hdfs --> /user/hive/sentry/sentry-provider.ini:
    [databases]
    customers = hdfs://xxxxx/user/hive/sentry/customers.ini
    [groups]
    admin = admin_role

    [roles]
    admin_role = server=server1->db=*
    admin_role = server=server1

    hdfs --> /user/hive/sentry/customers.ini:
    [groups]
    lixiang = customers_select_role

    [roles]
    customers_insert_role =
    server=server1->db=customers->table=*->action=insert
    customers_select_role =
    server=server1->db=customers->table=student->action=select


    -------------------------------------------------------------------------------------------
    Are they OK?

    When I addprinc a user called lixiang, and adduser a user called lixiang
    at Linux,and I execute 'load data' command into customers.student table
    ,why there is nothing wrong with it?




    To unsubscribe from this group and stop receiving emails from it, send an
    email to scm-users+unsubscribe@cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send an email to scm-users+unsubscribe@cloudera.org.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupscm-users @
categorieshadoop
postedOct 31, '13 at 7:37a
activeOct 31, '13 at 7:46a
posts2
users2
websitecloudera.com
irc#hadoop

2 users in discussion

David1990111: 1 post bc Wong: 1 post

People

Translate

site design / logo © 2022 Grokbase