这是一篇总结的文章,主要介绍 Hadoop 集群快速部署权限的步骤以及一些注意事项。如果你想了解详细的过程,请参考本博客中其他的文章。

1. 开始之前

hadoop 集群一共有三个节点,每个节点的 ip、hostname、角色如下:

  1. 192.168.56.121 cdh1 NameNodekerberos-serverldap-serversentry-store
  2. 192.168.56.122 cdh2 DataNodeyarnhiveimpala
  3. 192.168.56.123 cdh3 DataNodeyarnhiveimpala

一些注意事项:

  • 操作系统为 CentOs6.2
  • Hadoop 版本为 CDH5.2
  • hostname 请使用小写,因为 kerberos 中区分大小写,而 hadoop 中会使用 hostname 的小写替换 _HOST,impala 直接使用 hostname 替换 _HOST
  • 开始之前,请确认 hadoop 集群部署安装成功,不管是否配置 HA,请规划好每个节点的角色。我这里为了简单,以三个节点的集群为例做说明,你可以参考本文并结合你的实际情况做调整。
  • 请确认防火墙关闭,以及集群内和 kerberos 以及 ldap 服务器保持时钟同步
  • cdh1 为管理节点,故需要做好 cdh1 到集群所有节点的无密码登陆,包括其本身。

集群中每个节点的 hosts 如下:

  1. $ cat /etc/hosts
  2. 127.0.0.1 localhost
  3. 192.168.56.121 cdh1
  4. 192.168.56.122 cdh2
  5. 192.168.56.123 cdh3

为了方便管理集群,使用 cdh1 作为管理节点,并在 /opt/shell 目录编写了几脚本,/opt/shell/cmd.sh 用于批量执行命令:

  1. $ cat /opt/shell/cmd.sh
  2. #!/bin/sh
  3. for node in 121 122 123;do
  4. echo "==============="192.168.56.$node"==============="
  5. ssh 192.168.56.$node $1
  6. done

/opt/shell/cmd.sh 用于批量执行命令:

  1. $ cat /opt/shell/syn.sh
  2. #!/bin/sh
  3. for node in 121 122 123;do
  4. echo "==============="192.168.56.$node"==============="
  5. scp -r $1 192.168.56.$node:$2
  6. done

/opt/shell/cluster.sh 用于批量维护集群各个服务:

  1. $ cat /opt/shell/cluster.sh
  2. #!/bin/sh
  3. for node in 121 122 123;do
  4. echo "==============="192.168.56.$node"==============="
  5. ssh 192.168.56.$node 'for src in `ls /etc/init.d|grep '$1'`;do service $src '$2'; done'
  6. done

2. 安装 kerberos

在 cdh1 节点修改 /etc/krb5.conf 如下:

  1. [logging]
  2. default = FILE:/var/log/krb5libs.log
  3. kdc = FILE:/var/log/krb5kdc.log
  4. admin_server = FILE:/var/log/kadmind.log
  5. [libdefaults]
  6. default_realm = JAVACHEN.COM
  7. dns_lookup_realm = false
  8. dns_lookup_kdc = false
  9. ticket_lifetime = 24h
  10. renew_lifetime = 7d
  11. forwardable = true
  12. default_tgs_enctypes = aes256-cts-hmac-sha1-96
  13. default_tkt_enctypes = aes256-cts-hmac-sha1-96
  14. permitted_enctypes = aes256-cts-hmac-sha1-96
  15. clockskew = 120
  16. udp_preference_limit = 1
  17. [realms]
  18. JAVACHEN.COM = {
  19. kdc = cdh1
  20. admin_server = cdh1
  21. }
  22. [domain_realm]
  23. .javachen.space = JAVACHEN.COM
  24. javachen.space = JAVACHEN.COM

修改 /var/kerberos/krb5kdc/kdc.conf 如下:

  1. [kdcdefaults]
  2. kdc_ports = 88
  3. kdc_tcp_ports = 88
  4. [realms]
  5. JAVACHEN.COM = {
  6. #master_key_type = aes256-cts
  7. acl_file = /var/kerberos/krb5kdc/kadm5.acl
  8. dict_file = /usr/share/dict/words
  9. max_renewable_life = 7d
  10. max_life = 1d
  11. admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  12. supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  13. default_principal_flags = +renewable, +forwardable
  14. }

修改 /var/kerberos/krb5kdc/kadm5.acl 如下:

  1. */admin@JAVACHEN.COM *

将 cdh1 上的 /etc/krb5.conf 同步到集群各个节点上:

  1. sh /opt/shell/syn.sh /etc/krb5.conf /etc/krb5.conf

写了一个脚本安装和初始化 kerberos,供大家参考(详细的脚本,请参考 install_kerberos.shinit_kerberos.sh ):

  1. # install the kerberos components
  2. yum install -y krb5-server
  3. yum install -y openldap-clients
  4. yum install -y krb5-workstation
  5. rm -rf /var/kerberos/krb5kdc/*.keytab /var/kerberos/krb5kdc/prin*
  6. kdb5_util create -r JAVACHEN.COM -s
  7. chkconfig --level 35 krb5kdc on
  8. chkconfig --level 35 kadmin on
  9. service krb5kdc restart
  10. service kadmin restart
  11. echo -e "root\nroot" | kadmin.local -q "addprinc root/admin"
  12. DNS=JAVACHEN.COM
  13. HOSTNAME=`hostname -i`
  14. #读取/etc/host文件中ip为 192.168.56 开头的机器名称并排除自己(kerberos 服务器)
  15. for host in `cat /etc/hosts|grep 192.168.56|grep -v $HOSTNAME|awk '{print $2}'` ;do
  16. for user in hdfs; do
  17. kadmin.local -q "addprinc -randkey $user/$host@$DNS"
  18. kadmin.local -q "xst -k /var/kerberos/krb5kdc/$user-un.keytab $user/$host@$DNS"
  19. done
  20. for user in HTTP hive yarn mapred impala zookeeper zkcli hbase llama sentry solr hue; do
  21. kadmin.local -q "addprinc -randkey $user/$host@$DNS"
  22. kadmin.local -q "xst -k /var/kerberos/krb5kdc/$user.keytab $user/$host@$DNS"
  23. done
  24. done
  25. # 合并
  26. cd /var/kerberos/krb5kdc/
  27. echo -e "rkt hdfs-un.keytab\nrkt HTTP.keytab\nwkt hdfs.keytab" | ktutil
  28. #kerberos 重新初始化之后,还需要添加下面代码用于集成 ldap
  29. kadmin.local -q "addprinc ldapadmin@JAVACHEN.COM"
  30. kadmin.local -q "addprinc -randkey ldap/cdh1@JAVACHEN.COM"
  31. kadmin.local -q "ktadd -k /etc/openldap/ldap.keytab ldap/cdh1@JAVACHEN.COM"
  32. /etc/init.d/slapd restart
  33. #测试 ldap 是否可以正常使用
  34. ldapsearch -x -b 'dc=javachen,dc=com'

运行上面的脚本,然后将上面生成的 keytab 同步到其他节点并设置权限:

  1. sh /opt/shell/syn.sh /opt/keytab/hdfs.keytab /etc/hadoop/conf/
  2. sh /opt/shell/syn.sh /opt/keytab/mapred.keytab /etc/hadoop/conf/
  3. sh /opt/shell/syn.sh /opt/keytab/yarn.keytab /etc/hadoop/conf/
  4. sh /opt/shell/syn.sh /opt/keytab/hive.keytab /etc/hive/conf/
  5. sh /opt/shell/syn.sh /opt/keytab/impala.keytab /etc/impala/conf/
  6. sh /opt/shell/syn.sh /opt/keytab/zookeeper.keytab /etc/zookeeper/conf/
  7. sh /opt/shell/syn.sh /opt/keytab/zkcli.keytab /etc/zookeeper/conf/
  8. sh /opt/shell/syn.sh /opt/keytab/sentry.keytab /etc/sentry/conf/
  9. sh /opt/shell/cmd.sh "chown hdfs:hadoop /etc/hadoop/conf/hdfs.keytab ;chmod 400 /etc/hadoop/conf/*.keytab"
  10. sh /opt/shell/cmd.sh "chown mapred:hadoop /etc/hadoop/conf/mapred.keytab ;chmod 400 /etc/hadoop/conf/*.keytab"
  11. sh /opt/shell/cmd.sh "chown yarn:hadoop /etc/hadoop/conf/yarn.keytab ;chmod 400 /etc/hadoop/conf/*.keytab"
  12. sh /opt/shell/cmd.sh "chown hive:hadoop /etc/hive/conf/hive.keytab ;chmod 400 /etc/hive/conf/*.keytab"
  13. sh /opt/shell/cmd.sh "chown impala:hadoop /etc/impala/conf/impala.keytab ;chmod 400 /etc/impala/conf/*.keytab"
  14. sh /opt/shell/cmd.sh "chown zookeeper:hadoop /etc/zookeeper/conf/*.keytab ;chmod 400 /etc/zookeeper/conf/*.keytab"
  15. # sentry 只安装在 cdh1 节点
  16. chown sentry:hadoop /etc/sentry/conf/*.keytab ;chmod 400 /etc/sentry/conf/*.keytab

在集群中每个节点安装 kerberos 客户端:

  1. sh /opt/shell/cmd.sh "yum install krb5-workstation -y"

批量获取 root/admin 用户的 ticket

  1. sh /opt/shell/cmd.sh "echo root|kinit root/admin"

3. hadoop 集成 kerberos

更新每个节点上的 JCE 文件并修改 /etc/default/hadoop-hdfs-datanode,并且修改 hdfs、yarn、mapred、hive 的配置文件。
如果配置了 HA,则先配置 zookeeper 集成 kerberos。
同步配置文件:

  1. sh /opt/shell/syn.sh /etc/hadoop/conf /etc/hadoop
  2. sh /opt/shell/syn.sh /etc/zookeeper/conf /etc/zookeeper
  3. sh /opt/shell/cmd.sh "cd /etc/hadoop/conf/; chown root:yarn container-executor.cfg ; chmod 400 container-executor.cfg"
  4. sh /opt/shell/syn.sh /etc/hive/conf /etc/hive

接下来就是依次获取每个服务对应的 ticket 并启动对应的服务,我创建了一个脚本 /opt/shell/manager_cluster.sh 来做这件事:

  1. #!/bin/bash
  2. role=$1
  3. dir=$role
  4. command=$2
  5. if [ X"$role" == X"hdfs" ];then
  6. dir=hadoop
  7. fi
  8. if [ X"$role" == X"yarn" ];then
  9. dir=hadoop
  10. fi
  11. if [ X"$role" == X"mapred" ];then
  12. dir=hadoop
  13. fi
  14. echo $dir $role $command
  15. for node in 121 122 123 ;do
  16. echo "========192.168.56.$node========"
  17. ssh 192.168.56.$node '
  18. host=`hostname -f| tr "[:upper:]" "[:lower:]"`
  19. path="'$role'/$host"
  20. #echo $path
  21. principal=`klist -k /etc/'$dir'/conf/'$role'.keytab | grep $path | head -n1 | cut -d " " -f5`
  22. echo $principal
  23. if [ X"$principal" == X ]; then
  24. principal=`klist -k /etc/'$dir'/conf/'$role'.keytab | grep $path | head -n1 | cut -d " " -f4`
  25. echo $principal
  26. if [ X"$principal" == X ]; then
  27. echo "Failed to get hdfs Kerberos principal"
  28. exit 1
  29. fi
  30. fi
  31. kinit -r 24l -kt /etc/'$dir'/conf/'$role'.keytab $principal
  32. if [ $? -ne 0 ]; then
  33. echo "Failed to login as hdfs by kinit command"
  34. exit 1
  35. fi
  36. kinit -R
  37. for src in `ls /etc/init.d|grep '$role'`;do service $src '$command'; done
  38. '
  39. done

启动命令:

  1. # 启动 zookeeper
  2. sh /opt/shell/manager_cluster.sh zookeeper restart
  3. # 获取 hdfs 服务的 ticket
  4. sh /opt/shell/manager_cluster.sh hdfs status
  5. # 使用普通脚本依次启动 hadoop-hdfs-zkfc、hadoop-hdfs-journalnode、hadoop-hdfs-namenode、hadoop-hdfs-datanode
  6. sh /opt/shell/cluster.sh hadoop-hdfs-zkfc restart
  7. sh /opt/shell/cluster.sh hadoop-hdfs-journalnode restart
  8. sh /opt/shell/cluster.sh hadoop-hdfs-namenode restart
  9. sh /opt/shell/cluster.sh hadoop-hdfs-datanode restart
  10. sh /opt/shell/manager_cluster.sh yarn restart
  11. sh /opt/shell/manager_cluster.sh mapred restart
  12. sh /opt/shell/manager_cluster.sh hive restart

修改 impala 配置文件并同步到其他节点,然后启动 impala 服务:

  1. \cp /etc/hadoop/conf/core-site.xml /etc/impala/conf/
  2. \cp /etc/hadoop/conf/hdfs-site.xml /etc/impala/conf/
  3. \cp /etc/hive/conf/hive-site.xml /etc/impala/conf/
  4. sh /opt/shell/syn.sh /etc/impala/conf /etc/impala/
  5. sh /opt/shell/syn.sh /etc/default/impala /etc/default/impala
  6. sh /opt/shell/manager_cluster.sh impala restart

到此,集群应该启动成功了。

3 使用 java 代码测试 kerberos

在 hdfs 中集成 kerberos 之前,可以先使用下面代码(Krb.java)进行测试:

  1. import com.sun.security.auth.module.Krb5LoginModule;
  2. import javax.security.auth.Subject;
  3. import java.io.File;
  4. import java.io.FileInputStream;
  5. import java.io.InputStream;
  6. import java.util.HashMap;
  7. import java.util.Map;
  8. import java.util.Properties;
  9. public class Krb {
  10. private void loginImpl(final String propertiesFileName) throws Exception {
  11. System.out.println("NB: system property to specify the krb5 config: [java.security.krb5.conf]");
  12. //System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
  13. System.out.println(System.getProperty("java.version"));
  14. System.setProperty("sun.security.krb5.debug", "true");
  15. final Subject subject = new Subject();
  16. final Krb5LoginModule krb5LoginModule = new Krb5LoginModule();
  17. final Map<String,String> optionMap = new HashMap<String,String>();
  18. if (propertiesFileName == null) {
  19. //optionMap.put("ticketCache", "/tmp/krb5cc_1000");
  20. optionMap.put("keyTab", "/etc/krb5.keytab");
  21. optionMap.put("principal", "foo"); // default realm
  22. optionMap.put("doNotPrompt", "true");
  23. optionMap.put("refreshKrb5Config", "true");
  24. optionMap.put("useTicketCache", "true");
  25. optionMap.put("renewTGT", "true");
  26. optionMap.put("useKeyTab", "true");
  27. optionMap.put("storeKey", "true");
  28. optionMap.put("isInitiator", "true");
  29. } else {
  30. File f = new File(propertiesFileName);
  31. System.out.println("======= loading property file ["+f.getAbsolutePath()+"]");
  32. Properties p = new Properties();
  33. InputStream is = new FileInputStream(f);
  34. try {
  35. p.load(is);
  36. } finally {
  37. is.close();
  38. }
  39. optionMap.putAll((Map)p);
  40. }
  41. optionMap.put("debug", "true"); // switch on debug of the Java implementation
  42. krb5LoginModule.initialize(subject, null, new HashMap<String,String>(), optionMap);
  43. boolean loginOk = krb5LoginModule.login();
  44. System.out.println("======= login: " + loginOk);
  45. boolean commitOk = krb5LoginModule.commit();
  46. System.out.println("======= commit: " + commitOk);
  47. System.out.println("======= Subject: " + subject);
  48. }
  49. public static void main(String[] args) throws Exception {
  50. System.out.println("A property file with the login context can be specified as the 1st and the only paramater.");
  51. final Krb krb = new Krb();
  52. krb.loginImpl(args.length == 0 ? null : args[0]);
  53. }
  54. }

创建一个配置文件krb5.properties:

  1. keyTab=/etc/hadoop/conf/hdfs.keytab
  2. principal=hdfs/cdh1@JAVACHEN.COM
  3. doNotPrompt=true
  4. refreshKrb5Config=true
  5. useTicketCache=true
  6. renewTGT=true
  7. useKeyTab=true
  8. storeKey=true
  9. isInitiator=true

编译 java 代码并运行:

  1. # 先销毁当前 ticket
  2. $ kdestroy
  3. $ javac Krb.java
  4. $ java -cp . Krb ./krb5.properties

4. 安装 ldap

使用下面命令在 cdh1 节点快速安装 ldap-server:

  1. yum install db4 db4-utils db4-devel cyrus-sasl* krb5-server-ldap -y
  2. yum install openldap openldap-servers openldap-clients openldap-devel compat-openldap -y
  3. # 更新配置库:
  4. rm -rf /var/lib/ldap/*
  5. cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  6. chown -R ldap.ldap /var/lib/ldap
  7. # 备份原来的 slapd-conf
  8. cp -rf /etc/openldap/slapd.d /etc/openldap/slapd.d.bak
  9. cp /usr/share/doc/krb5-server-ldap-1.10.3/kerberos.schema /etc/openldap/schema/
  10. touch /etc/openldap/slapd.conf
  11. echo "include /etc/openldap/schema/corba.schema
  12. include /etc/openldap/schema/core.schema
  13. include /etc/openldap/schema/cosine.schema
  14. include /etc/openldap/schema/duaconf.schema
  15. include /etc/openldap/schema/dyngroup.schema
  16. include /etc/openldap/schema/inetorgperson.schema
  17. include /etc/openldap/schema/java.schema
  18. include /etc/openldap/schema/misc.schema
  19. include /etc/openldap/schema/nis.schema
  20. include /etc/openldap/schema/openldap.schema
  21. include /etc/openldap/schema/ppolicy.schema
  22. include /etc/openldap/schema/collective.schema
  23. include /etc/openldap/schema/kerberos.schema" > /etc/openldap/slapd.conf
  24. echo -e "pidfile /var/run/openldap/slapd.pid\nargsfile /var/run/openldap/slapd.args" >> /etc/openldap/slapd.conf
  25. slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
  26. chown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d
  27. #重启服务
  28. chkconfig --add slapd
  29. chkconfig --level 345 slapd on
  30. /etc/init.d/slapd restart

集成 kerberos:

  1. # 创建管理员用户
  2. kadmin.local -q "addprinc ldapadmin@JAVACHEN.COM"
  3. kadmin.local -q "addprinc -randkey ldap/cdh1@JAVACHEN.COM"
  4. rm -rf /etc/openldap/ldap.keytab
  5. kadmin.local -q "ktadd -k /etc/openldap/ldap.keytab ldap/cdh1@JAVACHEN.COM"
  6. chown -R ldap:ldap /etc/openldap/ldap.keytab
  7. /etc/init.d/slapd restart

创建 modify.ldif 文件用于更新数据库:

  1. dn: olcDatabase={2}bdb,cn=config
  2. changetype: modify
  3. replace: olcSuffix
  4. olcSuffix: dc=javachen,dc=com
  5. dn: olcDatabase={2}bdb,cn=config
  6. changetype: modify
  7. replace: olcRootDN
  8. # Temporary lines to allow initial setup
  9. olcRootDN: uid=ldapadmin,ou=people,dc=javachen,dc=com
  10. dn: olcDatabase={2}bdb,cn=config
  11. changetype: modify
  12. add: olcRootPW
  13. olcRootPW: secret
  14. dn: cn=config
  15. changetype: modify
  16. add: olcAuthzRegexp
  17. olcAuthzRegexp: uid=([^,]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=javachen,dc=com
  18. dn: olcDatabase={2}bdb,cn=config
  19. changetype: modify
  20. add: olcAccess
  21. # Everyone can read everything
  22. olcAccess: {0}to dn.base="" by * read
  23. # The ldapadm dn has full write access
  24. olcAccess: {1}to * by dn="uid=ldapadmin,ou=people,dc=javachen,dc=com" write by * read

运行下面命令更新数据库:

  1. ldapmodify -Y EXTERNAL -H ldapi:/// -f modify.ldif

添加用户和组,创建 setup.ldif 如下:

  1. dn: dc=javachen,dc=com
  2. objectClass: top
  3. objectClass: dcObject
  4. objectclass: organization
  5. o: javachen com
  6. dc: javachen
  7. dn: ou=people,dc=javachen,dc=com
  8. objectclass: organizationalUnit
  9. ou: people
  10. description: Users
  11. dn: ou=group,dc=javachen,dc=com
  12. objectClass: organizationalUnit
  13. ou: group
  14. dn: uid=ldapadmin,ou=people,dc=javachen,dc=com
  15. objectClass: inetOrgPerson
  16. objectClass: posixAccount
  17. objectClass: shadowAccount
  18. cn: LDAP admin account
  19. uid: ldapadmin
  20. sn: ldapadmin
  21. uidNumber: 1001
  22. gidNumber: 100
  23. homeDirectory: /home/ldap
  24. loginShell: /bin/bash

运行下面命令导入到数据库:

  1. ldapadd -x -D "uid=ldapadmin,ou=people,dc=javachen,dc=com" -w secret -f setup.ldif

接下来,可以在 ldap 服务器上创建一些本地系统用户,然后将这些用户导入到 ldap 服务中。
先安装 migrationtools 然后修改 /usr/share/migrationtools/migrate_common.ph 文件中的 defalut DNS domain 和 defalut base。

  1. # 创建 admin 组
  2. groupadd admin
  3. # 创建 test 和 hive 用户,用于后面测试 sentry
  4. useradd test hive
  5. usermod -G admin test
  6. usermod -G admin hive
  7. # 将关键用户导入到 ldap
  8. grep -E "bi_|hive|test" /etc/passwd >/opt/passwd.txt
  9. /usr/share/migrationtools/migrate_passwd.pl /opt/passwd.txt /opt/passwd.ldif
  10. ldapadd -x -D "uid=ldapadmin,ou=people,dc=javachen,dc=com" -w secret -f /opt/passwd.ldif
  11. # 将 admin 组导入到 ldap
  12. grep -E "admin" /etc/group >/opt/group.txt
  13. /usr/share/migrationtools/migrate_group.pl /opt/group.txt /opt/group.ldif
  14. ldapadd -x -D "uid=ldapadmin,ou=people,dc=javachen,dc=com" -w secret -f /opt/group.ldif

然后,你可以依次为每个用户设置密码,使用下面命令:

  1. ldappasswd -x -D 'uid=ldapadmin,ou=people,dc=javachen,dc=com' -w secret "uid=hive,ou=people,dc=javachen,dc=com" -S

另外,这些用户和组都是存在于 ldap 服务器上的,需要将其远程挂载到 hadoop 的每个节点上,否则,你需要在每个节点创建对应的用户和组(目前,测试是这样的)。

6. 集成 sentry

这部分建议使用数据库的方式存储规则,不建议生产环境使用文件保存方式。
详细的配置,请参考 Impala和Hive集成Sentry
通过 beeline 使用 hive/cdh1@JAVACHEN.COM 连接 hive-server2 创建一些角色和组:

  1. create role admin_role;
  2. GRANT ALL ON SERVER server1 TO ROLE admin_role;
  3. GRANT ROLE admin_role TO GROUP admin;
  4. GRANT ROLE admin_role TO GROUP hive;
  5. create role test_role;
  6. GRANT ALL ON DATABASE testdb TO ROLE test_role;
  7. GRANT ALL ON DATABASE default TO ROLE test_role;
  8. GRANT ROLE test_role TO GROUP test;

上面 amdin 和 hive 组具有所有数据库的管理员权限,而 test 组只有 testdb 和 default 库的读写权限。
在 impala-shell 中通过 ldap 的方式传入不同的用户,可以测试读写权限。

7. 如何添加新用户并设置权限?

下面以 test2 账号为例,说明如何添加新的用户并设置访问权限。test2 需要具有以下权限

  • dw_default 库:读权限
  • dw_user 库 t1表:读权限
  • dw_user 库 t2 表:读权限

在 LDAP 服务器上 上添加 LDAP 用户并设置密码,首先添加系统用户:

  1. useradd test2

然后使用 LDAP 工具将该用户导入到 LDAP:

  1. grep -E "test2" /etc/passwd >/opt/passwd.txt
  2. /usr/share/migrationtools/migrate_passwd.pl /opt/passwd.txt /opt/passwd.ldif
  3. ldapadd -x -D "uid=ldapadmin,ou=people,dc=javachen,dc=com" -w secret -f /opt/passwd.ldif

给 test2 用户生成一个随机密码,然后修改 LDAP 中 test2 的密码:

  1. ldappasswd -x -D 'uid=ldapadmin,ou=people,dc=javachen,dc=com' -w secret "uid=test2,ou=people,dc=javachen,dc=com" -S

在每台datanode机器上创建 test2 用户和 secure_analyst 分组,test2 属于 secure_analyst 分组:

  1. sh /opt/shell/cmd.sh "groupadd secure_analyst ; useradd test2; usermod -G secure_analyst,test2 test2"

在 hive 中创建角色:
运行 beeline -u "jdbc:hive2://cdh1:10000/default;principal=hive/cdh1@JAVACHEN.COM",然后输入下面语句在 sentry 中创建角色和授予权限给 secure_analyst 组:

  1. create role dw_default_r;
  2. GRANT SELECT ON DATABASE dw_default TO ROLE dw_default_r;
  3. create role dw_user;
  4. GRANT SELECT ON DATABASE dw_user TO ROLE dw_user_r;
  5. use dw_user;
  6. create role dw_user_secure_r;
  7. GRANT SELECT ON table t1 TO ROLE dw_user_secure_r;
  8. GRANT SELECT ON table t2 TO ROLE dw_user_secure_r;
  9. GRANT ROLE dw_default_r TO GROUP secure_analyst;
  10. GRANT ROLE dw_user_secure_r TO GROUP secure_analyst;

然后,需要 impala 刷新元数据,然后进行测试,可能会需要一些时间 impala-catalog 才能刷新过来。
最后进行测试,这部分略。