Hive Authorization is managed via beeline shell.
• Become hive principal using hive server keytab
• Login on server where hiveserver2 is running
• Start beeline
• Execute
Example of JDBC connection URL:
------------
Syntax:
---------
!connect
jdbc:hive2://<hostname-hive-server2>:10000/default;principal=<hive-server2-principle-name>;saslQop=auth-conf
Example
!connect
jdbc:hive2://lcd218.brv.llkz:10000/default;principal=hive/lcd218.brv.llkz@MANOJ.ROOTDOM.NET;saslQop=auth-conf
• Become hive principal using hive server keytab
• Login on server where hiveserver2 is running
• Start beeline
• Execute
Example of JDBC connection URL:
------------
Syntax:
---------
!connect
jdbc:hive2://<hostname-hive-server2>:10000/default;principal=<hive-server2-principle-name>;saslQop=auth-conf
Example
!connect
jdbc:hive2://lcd218.brv.llkz:10000/default;principal=hive/lcd218.brv.llkz@MANOJ.ROOTDOM.NET;saslQop=auth-conf
•
"show roles;" will show available Sentry roles.
•
"show grant role <rolename>" will show grants for the
role
The mapping of Sentry privileges is as follows:
• SELECT privilege -> Read access
• INSERT privilege -> Write access
• ALL privilege -> Read and Write
Scenario:
Customer want to create a new role “crashdata_viewer” and assign that new role to database “abd_crashdata” with read access. The following groups need to be assigned to the specified role:
• az_mx_access_us
• azspaactuaries
• globalpc
Steps for implementation:
Run the below commands from beeline shell:
• Create role crashdata_viewer
> create role crashdata_viewer;
• Assign role to DB abd_crashdata with read access.
> grant select on database abd_crashdata to role crashdata_viewer
• Assign groups to the role crashdata_viewer
> grant role crashdata_viewer to group az_mx_access_us;
> grant role crashdata_viewer to group azspaactuaries;
> grant role crashdata_viewer to group globalpc;
Post implementation checks:
• Check the permissions granted for the role crashdata_viewer.
> show grant role crashdata_viewer;
• Check the roles assigned to a particular group:
> show role grant group az_mx_access_us;
Reference:
https://www.cloudera.com/documentation/enterprise/5-5-x/topics/sg_hive_sql.html
• SELECT privilege -> Read access
• INSERT privilege -> Write access
• ALL privilege -> Read and Write
Scenario:
Customer want to create a new role “crashdata_viewer” and assign that new role to database “abd_crashdata” with read access. The following groups need to be assigned to the specified role:
• az_mx_access_us
• azspaactuaries
• globalpc
Steps for implementation:
Run the below commands from beeline shell:
• Create role crashdata_viewer
> create role crashdata_viewer;
• Assign role to DB abd_crashdata with read access.
> grant select on database abd_crashdata to role crashdata_viewer
• Assign groups to the role crashdata_viewer
> grant role crashdata_viewer to group az_mx_access_us;
> grant role crashdata_viewer to group azspaactuaries;
> grant role crashdata_viewer to group globalpc;
Post implementation checks:
• Check the permissions granted for the role crashdata_viewer.
> show grant role crashdata_viewer;
• Check the roles assigned to a particular group:
> show role grant group az_mx_access_us;
Reference:
https://www.cloudera.com/documentation/enterprise/5-5-x/topics/sg_hive_sql.html
No comments:
Post a Comment
Note: only a member of this blog may post a comment.