扩展HadoopDefaultAuthenticator类的setConf方法,实现可以代理用户运行的功能,主要需求如下:
1.不传入参数时,按本用户执行
2.传入参数时,按传入参数执行
3.对设置为hdfs用户进行限制
主要更改HiveConf类和HadoopDefaultAuthenticator类
HiveConf增加:
|
1
2
|
HIVE_USE_CUSTOM_PROXY(
"use.custom.proxy"
,
false
),
HIVE_CUSTOM_PROXY_USER(
"custom.proxy.user"
,
""
),
|
更改HadoopDefaultAuthenticator 的setConf方法:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
protected
String proxyUser;
....
public
void
setConf(Configuration conf) {
UserGroupInformation ugi =
null
;
if
(HiveConf.getBoolVar(conf,HiveConf.ConfVars.HIVE_USE_CUSTOM_PROXY)){
proxyUser = HiveConf.getVar(conf, HiveConf.ConfVars.HIVE_CUSTOM_PROXY_USER);
if
((
""
).equals(proxyUser)||proxyUser ==
null
||(
"hdfs"
).equals(proxyUser)){
throw
new
RuntimeException(
"User proxy user, but set the wrong username ["
+proxyUser+
"]"
);
}
try
{
ugi = ShimLoader.getHadoopShims().createRemoteUser(proxyUser,
null
);
}
catch
(Exception e) {
throw
new
RuntimeException(e);
}
if
(ugi ==
null
) {
throw
new
RuntimeException(
"Can not initialize ProxyUserAuthenticator for user ["
+proxyUser+
"]"
);
}
this
.userName = ShimLoader.getHadoopShims().getShortUserName(ugi);
if
(ugi.getGroupNames() !=
null
) {
this
.groupNames = Arrays.asList(ugi.getGroupNames());
}
}
else
{
try
{
ugi = ShimLoader.getHadoopShims().getUGIForConf(conf);
}
catch
(Exception e) {
throw
new
RuntimeException(e);
}
if
(ugi ==
null
) {
throw
new
RuntimeException(
"Can not initialize HadoopDefaultAuthenticator."
);
}
this
.userName = ShimLoader.getHadoopShims().getShortUserName(ugi);
if
(ugi.getGroupNames() !=
null
) {
this
.groupNames = Arrays.asList(ugi.getGroupNames());
}
}
}
|
使用方法:
hive -hiveconf use.custom.proxy=true -hiveconf custom.proxy.user=xxx
1)use.custom.proxy 默认值为 false,即使用登录用户做权限验证
2)custom.proxy.user 不能设置为空和 hdfs
测试结果:
|
1
2
3
4
5
|
hive> show grant user ericni on database
default
;
//用权限的用户
OK
default
ericni USER Select
false
1417681722000
hdfs
hive> show grant user ericni1 on database
default
;
//无权限的用户
OK
|
有权限的用户 proxy到无权限用户测试, 报没有权限错误:
|
1
2
3
4
5
|
hive -i /home/hdfs/.hiverc2 -hiveconf hive.root.logger=WARN,console
-hiveconf use.custom.proxy=
true
-hiveconf custom.proxy.user=ericni1
14
/
12
/
05
15
:
10
:
35
WARN ExecReducer: in ShimLoader getHadoopShims hadoopShims is
class
org.apache.hadoop.hive.shims.Hadoop23Shims
Authorization failed:No privilege
'Select'
found
for
inputs { database:
default
, table:dual}. Use SHOW GRANT to get more details.
14
/
12
/
05
15
:
10
:
36
ERROR ql.Driver: Authorization failed:No privilege
'Select'
found
for
inputs { database:
default
, table:dual}. Use SHOW GRANT to get more details.
|
无权限的用户 proxy到有权限用户测试, 查询正常:
|
1
2
3
4
|
hive> select
1
from
default
.dual;
//没有设置 proxy的时候,没有权限查询
Authorization failed:No privilege
'Select'
found
for
inputs { database:
default
, table:dual}. Use SHOW GRANT to get more details.
hive -hiveconf use.custom.proxy=
true
-hiveconf custom.proxy.user=ericni
//设置代理后,查询正常
|
仍然存在的问题:
1)Hive向hdfs 写入数据的用户和这个用户是分开的,暂时这块代码还没有动,后面继续跟进
2)代理用户运行任务会有安全的问题,需要加个map,限制用户可以代理的用户
本文转自菜菜光 51CTO博客,原文链接:http://blog.51cto.com/caiguangguang/1587251,如需转载请自行联系原作者
