【总结】Apache Sentry 服务简介

莫问

　　Sentry是一个RPC服务，将认证元数据信息存储在关系型数据库，并提供RPC接口检索和操作权限。利用Kerveros支持安全访问。Sentry Service通过后台数据库存储提供认证元数据信息，不处理真实的权限验证，当Hive,Impala等服务的配置使用Sentry权限的时候，Hive，Impala只作为Sentry的client。
　　最早的Sentry是使用policy file配置权限，逐渐版本升级过程中，目前采用关系型数据库存储权限角色等。使用新的Sentry服务相比于旧的policy file能够更容易处理用户权限，新的Sentry服务提供了更传统的 GRANT/REVOKE语句修改权限。
　　

　　早版本Sentry中的策略文件policy file:
[groups]
manager = customers_insert_role,
customers_select_role
analyst = customers_select_role
[roles]
customers_insert_role = server=server1->db=customers->table=*->action=insert
customers_select_role = server=server1->db=customers->table=*->action=select　　

　　Sentry历史版本功能：

• 　　Sentry with policy files is added in CDH 5.1.0.
  
• 　　Sentry with config support is added in CDH 5.5.0.
  
• 　　Sentry with database-backed Sentry service is added with CDH 5.8.0.
  

　　

　　

　　Sentry中基础名词：
　　1.object Sentry认证规则所保护的一个对象，包括 server, database, table, URI, collection, and config
　　2.role 访问给定object的规则集合
　　3.privilege 包括insert select update等
　　4.user 来自于能够访问Sentry服务的一个认证系统用户，user可以是Kerberos的principal, LDAP的userid，或其他认证系统的标识
　　5.group 组，一个或者多个用户的集合，Sentry中将role分配给group，一个组就相应担当某个角色
　　6.A configured group provider determines a user’s affiliation with a group. The current release supports HDFS-backed groups and locally configured groups.

Privilege	Object
INSERT	DB, TABLE
SELECT	SERVER, DB, TABLE, COLUMN
UPDATE	COLLECTION, CONFIG
QUERY	COLLECTION, CONFIG
ALL	SERVER, TABLE, DB, URI, COLLECTION, CONFIG

　　Sentry权限模型：
　　Sentry使用基于角色权限模型，有如下特征
　　1、允许所有用户执行show functions，show locks等
　　2、允许用户看到那些有权限的tables,databases,collections，configs等
　　3、HiveQL执行例如LOAD，IMPORT等操作，需要用户有相应URI的权限
　　4、赋予一个URI某个权限，其子目录也递归赋予这个权限，所以只需将权限grant给一个父目录
　　5、CDH 5.5引入Column级别的访问控制，之前版本的如果要控制到列级别访问，使用View，创建一个只包含有访问权限Column的View
　　Tips
　　    Hive中使用Sentry的时候，必须使用Beeline方式执行查询，Hive Cli方式不支持Sentry
　　

　　
　　

　　Hive On Sentry中Object层级结构关系
　　权限能够赋予层级中的不同的object，一个权限如果赋予层级中一个object，则这个object子层级中的object继承这个权限。
　　比如赋予DATABASE的SELECT权限给用户A，则用户A拥有DATABASE下所有Object的SELECT权限

　　权限类型和Object的对应关系

Privilege	Object
INSERT	DB, TABLE
SELECT	DB, TABLE, VIEW, COLUMN
ALL	SERVER, TABLE, DB, URI

　　权限层级

Base Object	Granular privileges on object	Container object that contains the base object	Privileges on container object that implies privileges on the base object
DATABASE	ALL	SERVER	ALL
TABLE	INSERT	DATABASE	ALL
TABLE	SELECT	DATABASE	ALL
COLUMN	SELECT	DATABASE	ALL
VIEW	SELECT	DATABASE	ALL

　　Hive&Impala操作权限表

Operation	Scope	Privileges Required	URI
CREATE DATABASE	SERVER	ALL
DROP DATABASE	DATABASE	ALL
CREATE TABLE	DATABASE	ALL
DROP TABLE	TABLE	ALL
CREATE VIEW-This operation is allowed if you have column-level SELECTaccess to the columns being used.	DATABASE; SELECT on TABLE;	ALL
ALTER VIEW-This operation is allowed if you have column-level SELECTaccess to the columns being used.	VIEW/TABLE	ALL
DROP VIEW	VIEW/TABLE	ALL
ALTER TABLE .. ADD COLUMNS	TABLE	ALL
ALTER TABLE .. REPLACE COLUMNS	TABLE	ALL
ALTER TABLE .. CHANGE column	TABLE	ALL
ALTER TABLE .. RENAME	TABLE	ALL
ALTER TABLE .. SET TBLPROPERTIES	TABLE	ALL
ALTER TABLE .. SET FILEFORMAT	TABLE	ALL
ALTER TABLE .. SET LOCATION	TABLE	ALL	URI
ALTER TABLE .. ADD PARTITION	TABLE	ALL
ALTER TABLE .. ADD PARTITION location	TABLE	ALL	URI
ALTER TABLE .. DROP PARTITION	TABLE	ALL
ALTER TABLE .. PARTITION SET FILEFORMAT	TABLE	ALL
SHOW CREATE TABLE	TABLE	SELECT/INSERT
SHOW PARTITIONS	TABLE	SELECT/INSERT
SHOW TABLES-Output includes all the tables for which the user has table-level privileges and all the tables for which the user has some column-level privileges.	TABLE	SELECT/INSERT
SHOW GRANT ROLE-Output includes an additional field for any column-level privileges.	TABLE	SELECT/INSERT
DESCRIBE TABLE-Output shows all columns if the user has table level-privileges or SELECT privilege on at least one table column	TABLE	SELECT/INSERT
LOAD DATA	TABLE	INSERT	URI
SELECT-You can grant the SELECT privilege on a view to give users access to specific columns of a table they do not otherwise have access to. -See Column-level Authorization for details on allowed column-level operations.	VIEW/TABLE; COLUMN	SELECT
INSERT OVERWRITE TABLE	TABLE	INSERT
CREATE TABLE .. AS SELECT-This operation is allowed if you have column-level SELECTaccess to the columns being used.	DATABASE; SELECT on TABLE	ALL
USE	Any
CREATE FUNCTION	SERVER	ALL
ALTER TABLE .. SET SERDEPROPERTIES	TABLE	ALL
ALTER TABLE .. PARTITION SET SERDEPROPERTIES	TABLE	ALL
Hive-Only Operations
INSERT OVERWRITE DIRECTORY	TABLE	INSERT	URI
Analyze TABLE	TABLE	SELECT + INSERT
IMPORT TABLE	DATABASE	ALL	URI
EXPORT TABLE	TABLE	SELECT	URI
ALTER TABLE TOUCH	TABLE	ALL
ALTER TABLE TOUCH PARTITION	TABLE	ALL
ALTER TABLE .. CLUSTERED BY SORTED BY	TABLE	ALL
ALTER TABLE .. ENABLE/DISABLE	TABLE	ALL
ALTER TABLE .. PARTITION ENABLE/DISABLE	TABLE	ALL
ALTER TABLE .. PARTITION.. RENAME TO PARTITION	TABLE	ALL
MSCK REPAIR TABLE	TABLE	ALL
ALTER DATABASE	DATABASE	ALL
DESCRIBE DATABASE	DATABASE	SELECT/INSERT
SHOW COLUMNS-Output for this operation filters columns to which the user does not have explicit SELECT access	TABLE	SELECT/INSERT
CREATE INDEX	TABLE	ALL
DROP INDEX	TABLE	ALL
SHOW INDEXES	TABLE	SELECT/INSERT
GRANT PRIVILEGE	Allowed only for Sentry admin users
REVOKE PRIVILEGE	Allowed only for Sentry admin users
SHOW GRANT	Allowed only for Sentry admin users
SHOW TBLPROPERTIES	TABLE	SELECT/INSERT
DESCRIBE TABLE .. PARTITION	TABLE	SELECT/INSERT
ADD JAR	Not Allowed
ADD FILE	Not Allowed
DFS	Not Allowed
Impala-Only Operations
EXPLAIN	TABLE; COLUMN	SELECT
INVALIDATE METADATA	SERVER	ALL
INVALIDATE METADATA	TABLE	SELECT/INSERT
REFRESH  or REFRESH  PARTITION ()	TABLE	SELECT/INSERT
DROP FUNCTION	SERVER	ALL
COMPUTE STATS	TABLE	ALL

　　

　　

　　通过HUE管理Sentry:http://10120275.blog.51cto.com/10110275/1956777