Apache Sentry 第一彈:Server啓動、鏈接Hue、分組詳解
前言:html
Sentry是Hadoop安全方面的一個開源組件,目前還在孵化中,地址:https://sentry.incubator.apache.org。 原屬於Cloudera開發,後來貢獻給了Apache。關於它的強大直接摘錄一段,全文請查看:http://www.csdn.net/article/2013-08-14/2816575-with-sentry-cloudera-fills-hadoops-enterprise-security-gap:java
Sentry是一個Hadoop的受權模塊,爲了對正確的用戶和應用程序提供精確的訪問級別,Sentry提供了細粒度級、基於角色的受權以及多租戶的管理模式,爲Hadoop使用者提供瞭如下便利:mysql
可以在Hadoop中存儲更敏感的數據linux
使更多的終端用戶擁有Hadoop數據訪問權sql
建立更多的Hadoop使用案例數據庫
構建多用戶應用程序apache
符合規範(例如SOX,PCI,HIPAA,EAL3)安全
本文(也多是系列)主要講述使用中趟過的那些坑,和具體的使用參考。app
1、安裝eclipse
我這邊使用的是cdh5.4.3版本,sentry的版本是1.4.0,直接找到cloudera官方,找到tarball下載、解壓便可。而後修改下 /etc/profile,加到環境變量中
export SENTRY_HOME=/home/hadoop/apache-sentry-1.4.0-cdh5.4.3-bin/ export PATH=$SENTRY_HOME/bin:$PATH
2、修改配置
參考文章:http://blog.javachen.com/2015/04/30/install-and-config-sentry.html、
http://gethue.com/apache-sentry-made-easy-with-the-new-hue-security-app/ (必定要詳讀,頗有用,下面也會說到)
重點關注:
一、數據庫的配置,註釋掉的爲Mysql的配置參照 <property> <name>sentry.store.jdbc.url</name> <!--<value>jdbc:mysql://host:port/sentry</value>--> <value>jdbc:derby:;databaseName=metastore_db;create=true</value> <description>JDBC connection URL for the backed DB</description> </property> <property> <name>sentry.store.jdbc.user</name> <value></value> <description>Userid for connecting to backend db </description> </property> <property> <name>sentry.store.jdbc.password</name> <value></value> <description>Sentry password for backend JDBC user </description> </property> <property> <name>sentry.store.jdbc.driver</name> <!--<value>com.mysql.jdbc.Driver</value>--> <value>org.apache.derby.jdbc.EmbeddedDriver</value> <description>Backend JDBC driver - org.apache.derby.jdbc.EmbeddedDriver (only when dbtype = derby) JDBC Driver class for the backed DB</description> </property> 二、 顧名思義,下面的參數分別表示容許鏈接的用戶,和管理員的組,很重要,後面詳細說明。 <property> <name>sentry.service.allow.connect</name> <value>hive,hue,jerrickwang</value> <description>comma separated list of users - List of users that are allowed to connect to the service (eg Hive, Impala) </description> </property> <property> <name>sentry.service.admin.group</name> <value>admin</value> <description>Comma separates list of groups. List of groups allowed to make policy updates</description> </property> 三、sentry的組映射,默認配置HadoopGroupMappingService,也可使用LocalGroupMapping ,可是使用後者的時候須要指定police file的地址。 <property> <name>sentry.store.group.mapping</name> <value>org.apache.sentry.provider.common.HadoopGroupMappingService</value> <description> Group mapping class for Sentry service. org.apache.sentry.provider.file.LocalGroupMapping service can be used for local group mapping. </description> </property> <property> <name>sentry.store.group.mapping.resource</name> <value></value> <description> Policy file for group mapping. Policy file path for local group mapping, when sentry.store.group.mapping is set to LocalGroupMapping Service class.</d escription> </property>
3、初始化數據庫,啓動service,而後按照host和端口修改Hue配置:
3.1 若是是mysql須要先建立sentry庫,而後初始化(可選)。若是是用derby,在jdbc串中配置create=true,可跳過此步 create database sentry sentry --command schema-tool -initSchema -conffile conf/sentry-site.xml -dbType mysql 3.2 啓動 cd $SENTRY_HOME sentry --command service -conffile conf/sentry-site.xml 3.3 修改Hue配置,重啓hue [libsentry] # Hostname or IP of server. hostname=localhost # Port the sentry service is running on. port=8038 # Sentry configuration directory, where sentry-site.xml is located. sentry_conf_dir=/home/hadoop/apache-sentry-1.4.0-cdh5.4.3-bin/conf
4、問題出現
Hue中: jerrickwang用戶:default + admin組
senrty中:
<name>sentry.service.admin.group</name>
<value>admin</value>
可是登錄後,一直報錯,找不到組:
15/08/17 10:10:28 WARN security.ShellBasedUnixGroupsMapping: got exception trying to get groups for user jerrickwang: id: jerrickwang: No such user
嘗試添加role,報錯:
15/08/17 10:15:06 WARN thrift.SentryPolicyStoreProcessor: User: jerrickwang is part of [] which does not, intersect admin groups [admin]
15/08/17 11:11:40 WARN common.HadoopGroupMappingService: Unable to obtain groups for jerrickwang
java.io.IOException: No groups found for user jerrickwang
看樣子是用戶和分組的問題,查看配置:
<property>
<name>sentry.store.group.mapping</name>
<value>org.apache.sentry.provider.common.HadoopGroupMappingService</value>
各類搜索無果,果斷本身看代碼,官方下載sentry1.5源碼,導入到eclipse:
provider-common包中找到HadoopGroupMappingService.class ,代碼不多,重點關注定義了一個org.apache.hadoop.security.Groups;
public Set<String> getGroups(String user) {
try {
return new HashSet<String>(groups.getGroups(user));
} catch (IOException e) {
LOGGER.warn("Unable to obtain groups for " + user, e);
}
return Collections.emptySet();
}
查看Groups類,hadoop-common包:
public List<String> getGroups(String user){
List staticMapping = (List)this.staticUserToGroupsMap.get(user);
CachedGroups groups = (CachedGroups)this.userToGroupsMap.get(user);
if (groups.getGroups().isEmpty())
{
throw new IOException("No groups found for user " + user);
}
}
構造函數中:
this.impl = ((GroupMappingServiceProvider)ReflectionUtils.newInstance(conf.getClass("hadoop.security.group.mapping", ShellBasedUnixGroupsMapping.class, GroupMappingServiceProvider.class), conf));
同級目錄下找到:ShellBasedUnixGroupsMapping類
private static List<String> getUnixGroups(String user)
throws IOException
{
String result = "";
try {
result = Shell.execCommand(Shell.getGroupsForUserCommand(user));
}
catch (Shell.ExitCodeException e) {
LOG.warn("got exception trying to get groups for user " + user + ": " + e.getMessage());
return new LinkedList();
}
看樣子是Sentry的默認分組居然是這樣的,徹底沒想到的點:從linux系統獲取用戶的組,而jerrickwang的用戶在linux中不存在,也沒用組,因此報錯。
cat /etc/group查看系統組,基本是root, hadoop,work。
由於Hue上是接入ldap服務做爲驗證,因此不能添加帳號,以上面的結論爲基礎 向linux添加jerrickwang用戶,分組給hadoop,sentry admin組給hadoop應該便可。
-- 按此修改,重啓sentry,果真成功了!
5、更多一層的驗證:
一、使用ldap服務,確保linux系統上有此用戶
二、確保權限:
To be able to edit roles and privileges in Hue, the logged-in Hue user needs to belong to a group in Hue that is also an admin group in Sentry. For example, our ‘hive’ user belongs to a ‘hive’ group in Hue and also to a ‘hive’ group in Sentry:
<property>
<name>sentry.service.admin.group</name>
<value>hive,impala,hue</value>
</property>
個人:
Linux: jerrickwang -- 所屬hadoop組
Hue: jerrickwang admin組
配置:
<name>sentry.service.admin.group</name>
一、 <value>admin</value> 權限不夠,不能添加,基本肯定sentry的組就是linux的組
二、 <value>hadoop</value> ,hue中組設成hadoop 搞定!
6、數據庫
一、用mysql時我是一直沒成功了,各類辦法都試過了也沒解決掉這個問題:
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Specified key was too long; max key length is 767 bytes
數據庫各類改過,甚至改了sentry初始化時調用的sql(在script目錄下)
二、使用derby時不要本身作初始化,我這邊本身初始化後,在添加角色時一直拋出一個股東error:
Caused by: ERROR 42Z23: Attempt to modify an identity column 'ROLE_ID':
bug:https://issues.apache.org/jira/browse/DERBY-1495
Connected to: Apache Derby (version 10.10.2.0 - (1582446)) 可是此版本早就修復了
三、使用ij訪問derby
下載db-deby,解壓,bin目錄下有鏈接工具ij,配置環境變量
$cd $SENTRY_HOMT
$ ij
ij version 10.11
ij> connect 'jdbc:derby:;databaseName=metastore_db';
ij>
show tables;
TABLE_SCHEM |TABLE_NAME |REMARKS
------------------------------------------------------------------------
SYS |SYSALIASES |
SYS |SYSCHECKS |
SYS |SYSCOLPERMS |
SYS |SYSCOLUMNS |
SYS |SYSCONGLOMERATES |
SYS |SYSCONSTRAINTS |
SYS |SYSDEPENDS |
SYS |SYSFILES |
SYS |SYSFOREIGNKEYS |
SYS |SYSKEYS |
SYS |SYSPERMS |
SYS |SYSROLES |
SYS |SYSROUTINEPERMS |
SYS |SYSSCHEMAS |
SYS |SYSSEQUENCES |
SYS |SYSSTATEMENTS |
SYS |SYSSTATISTICS |
SYS |SYSTABLEPERMS |
SYS |SYSTABLES |
SYS |SYSTRIGGERS |
SYS |SYSUSERS |
SYS |SYSVIEWS |
SYSIBM |SYSDUMMY1 |
SENTRY |SENTRY_DB_PRIVILEGE |
SENTRY |SENTRY_GROUP |
SENTRY |SENTRY_ROLE |
SENTRY |SENTRY_ROLE_DB_PRIVILEGE_MAP |
SENTRY |SENTRY_ROLE_GROUP_MAP |
SENTRY |SENTRY_VERSION |
SENTRY |SEQUENCE_TABLE |
30 rows selected
ij>
exit;
7、Next
一、Sentry分組中的LocalGroupMapping使用
二、Sentry集成Hive
- 1. apache hive + sentry測試
- 2. 什麼是 Apache Sentry , Apache Sentry 介紹
- 3. hue集成sentry
- 4. Hue、Hive、Sentry、Airflow、Oozie
- 5. Apache Sentry詳細講解
- 6. 使用Java API鏈接Apache Sentry
- 7. 基於Apache Sentry的Hive權限管理
- 8. 使用Apache Sentry的Presto
- 9. Apache Sentry 初識
- 10. Apache Hue 組件的介紹
- 更多相關文章...
- • Markdown 鏈接 - Markdown 教程
- • 啓動MySQL服務 - MySQL教程
- • Docker容器實戰(一) - 封神Server端技術
- • Flink 數據傳輸及反壓詳解
-
每一个你不满意的现在,都有一个你没有努力的曾经。