2021年4月4

sentry缺点：

1、组件只支持hive、hdfs、impala 不支持hbase,stome等

show roles;
create role admin_zr;
0: jdbc:hive2://cbp5.chinaoly.com:10000/> grant all on server server1 to role admin_zr;
INFO  : Compiling command(queryId=hive_20210404174040_4e155e03-79c5-40c4-a24a-7b0601588b30): grant all on server server1 to role admin_zr
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20210404174040_4e155e03-79c5-40c4-a24a-7b0601588b30); Time taken: 0.069 seconds
INFO  : Executing command(queryId=hive_20210404174040_4e155e03-79c5-40c4-a24a-7b0601588b30): grant all on server server1 to role admin_zr
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20210404174040_4e155e03-79c5-40c4-a24a-7b0601588b30); Time taken: 0.183 seconds
INFO  : OK
No rows affected (0.258 seconds)

#将admin_zr角色授权给hive用户组，并授权给hive组(对应操作系统的组)
0: jdbc:hive2://cbp5.chinaoly.com:10000/> grant role admin_zr to group hive;

#创建mytable05表，并插入测试数据
: jdbc:hive2://cbp5.chinaoly.com:10000/> create table mytable05(id int,name string);
0: jdbc:hive2://cbp5.chinaoly.com:10000/> insert into mytable05 values(1,'zhangsan'),(2,'lisi');

#创建测试角色并将角色授权给用户组
创建两个角色：
readrole:只能读default库mytable01表，并授权给readaccount用户组
writerole:只能写default库mytable01表，并授权给writeaccount用户组

#创建role
create role readrole;
create role wirterole;
#给予查询规则赋予给表mytab01
0: jdbc:hive2://cbp5.chinaoly.com:10000/> grant select on table mytab01 to role readrole;
INFO  : Compiling command(queryId=hive_20210404181717_12d3898d-a554-4ada-a603-c68bf31d11fa): grant select on table mytab01 to role readrole
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20210404181717_12d3898d-a554-4ada-a603-c68bf31d11fa); Time taken: 0.066 seconds
INFO  : Executing command(queryId=hive_20210404181717_12d3898d-a554-4ada-a603-c68bf31d11fa): grant select on table mytab01 to role readrole
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20210404181717_12d3898d-a554-4ada-a603-c68bf31d11fa); Time taken: 0.066 seconds
INFO  : OK
No rows affected (0.137 seconds)
0: jdbc:hive2://cbp5.chinaoly.com:10000/> 

#把写的权限赋予给mytable05表
0: jdbc:hive2://cbp5.chinaoly.com:10000/> grant insert on table mytable05 to role writerole;
INFO  : Compiling command(queryId=hive_20210404182121_d575c3a4-4f60-4082-b68f-577f1255720a): grant insert on table mytable05 to role writerole
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20210404182121_d575c3a4-4f60-4082-b68f-577f1255720a); Time taken: 0.063 seconds
INFO  : Executing command(queryId=hive_20210404182121_d575c3a4-4f60-4082-b68f-577f1255720a): grant insert on table mytable05 to role writerole
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20210404182121_d575c3a4-4f60-4082-b68f-577f1255720a); Time taken: 0.038 seconds
INFO  : OK
No rows affected (0.105 seconds)
0: jdbc:hive2://cbp5.chinaoly.com:10000/> 

#4、将readrole角色授权给readaccount用户组，writerole角色授权给writeaccount用户组
0: jdbc:hive2://cbp5.chinaoly.com:10000/> grant role readrole to group readaccount;
0: jdbc:hive2://cbp5.chinaoly.com:10000/> grant role writerole to group writeaccount;