本文主要记录配置安全的Impala集群集成Sentry的过程。Impala集群上配置了Kerberos认证,并且需要提前配置好Hive与Kerberos和Sentry的集成:

集群各节点角色规划为:

  1. 192.168.56.121        cdh1     NameNodeResourceManagerHBaseHive metastoreImpala CatalogImpala statestoreSentry 
  2. 192.168.56.122        cdh2     DataNodeNodeManagerHBaseHiveserver2Impala Server
  3. 192.168.56.123        cdh3     DataNodeHBaseNodeManagerHiveserver2Impala Server

2. 修改Impala配置

修改 /etc/default/impala 文件中的 IMPALA_SERVER_ARGS 参数,添加:

  1. -server_name=server1
  2. -sentry_config=/etc/hive/conf/sentry-site.xml

IMPALA_CATALOG_ARGS 中添加:

  1. -sentry_config=/etc/hive/conf/sentry-site.xml

/etc/hive/conf/sentry-site.xml 内容如下:

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <configuration>
  3.     <property>
  4.         <name>sentry.service.client.server.rpc-port</name>
  5.         <value>8038</value>
  6.     </property>
  7.     <property>
  8.         <name>sentry.service.client.server.rpc-address</name>
  9.         <value>cdh1</value>
  10.     </property>
  11.     <property>
  12.         <name>sentry.service.client.server.rpc-connection-timeout</name>
  13.         <value>200000</value>
  14.     </property>
  15.     <property>
  16.         <name>sentry.provider</name>
  17.         <value>org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider</value>
  18.     </property>
  19.     <property>
  20.         <name>sentry.hive.provider.backend</name>
  21.         <value>org.apache.sentry.provider.db.SimpleDBProviderBackend</value>
  22.     </property>
  23.     <property>
  24.         <name>sentry.metastore.service.users</name>
  25.         <value>hive</value><!--queries made by hive user (beeline) skip meta store check-->
  26.     </property>
  27.     <property>
  28.         <name>sentry.hive.server</name>
  29.         <value>server1</value>
  30.     </property>
  31.     <property>
  32.         <name>sentry.hive.testing.mode</name>
  33.         <value>true</value>
  34.     </property>
  35. </configuration>

3. 重启Impala服务

在cdh1节点

4. 测试

5. 其他说明

如果要使用基于文件存储的方式配置Sentry store,则需要修改 /etc/default/impala 文件中的 IMPALA_SERVER_ARGS 参数,添加:

  1. -server_name=server1
  2. -authorization_policy_file=/user/hive/sentry/sentry-provider.ini
  3. -authorization_policy_provider_class=org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider

创建 sentry-provider.ini 文件并将其上传到 hdfs 的 /user/hive/sentry/ 目录:

  1. $ cat /tmp/sentry-provider.ini
  2. [databases]
  3. # Defines the location of the per DB policy file for the customers DB/schema
  4. #db1 = hdfs://cdh1:8020/user/hive/sentry/db1.ini
  6. [groups]
  7. admin = any_operation
  8. hive = any_operation
  9. test = select_filtered
  11. [roles]
  12. any_operation = server=server1->db=*->table=*->action=*
  13. select_filtered = server=server1->db=filtered->table=*->action=SELECT
  14. select_us = server=server1->db=filtered->table=events_usonly->action=SELECT
  16. [users]
  17. test = test
  18. hive= hive
  20. $ hdfs dfs -rm -r /user/hive/sentry/sentry-provider.ini
  21. $ hdfs dfs -put /tmp/sentry-provider.ini /user/hive/sentry/
  22. $ hdfs dfs -chown hive:hive /user/hive/sentry/sentry-provider.ini
  23. $ hdfs dfs -chmod 640 /user/hive/sentry/sentry-provider.ini

注意:server1 必须和 sentry-provider.ini 文件中的保持一致。

6. 参考文章