扩展HadoopDefaultAuthenticator类的setConf方法,实现可以代理用户运行的功能,主要需求如下:
1.不传入参数时,按本用户执行
2.传入参数时,按传入参数执行
3.对设置为hdfs用户进行限制
主要更改HiveConf类和HadoopDefaultAuthenticator类
HiveConf增加:
HIVE_USE_CUSTOM_PROXY("use.custom.proxy", false), HIVE_CUSTOM_PROXY_USER("custom.proxy.user", ""),
更改HadoopDefaultAuthenticator 的setConf方法:
protected String proxyUser; .... public void setConf(Configuration conf) { UserGroupInformation ugi = null; if(HiveConf.getBoolVar(conf,HiveConf.ConfVars.HIVE_USE_CUSTOM_PROXY)){ proxyUser = HiveConf.getVar(conf, HiveConf.ConfVars.HIVE_CUSTOM_PROXY_USER); if(("").equals(proxyUser)||proxyUser == null||("hdfs").equals(proxyUser)){ throw new RuntimeException( "User proxy user, but set the wrong username [" +proxyUser+"]"); } try { ugi = ShimLoader.getHadoopShims().createRemoteUser(proxyUser,null); } catch (Exception e) { throw new RuntimeException(e); } if (ugi == null) { throw new RuntimeException( "Can not initialize ProxyUserAuthenticator for user [" +proxyUser+"]"); } this.userName = ShimLoader.getHadoopShims().getShortUserName(ugi); if (ugi.getGroupNames() != null) { this.groupNames = Arrays.asList(ugi.getGroupNames()); } }else{ try { ugi = ShimLoader.getHadoopShims().getUGIForConf(conf); } catch (Exception e) { throw new RuntimeException(e); } if (ugi == null) { throw new RuntimeException( "Can not initialize HadoopDefaultAuthenticator."); } this.userName = ShimLoader.getHadoopShims().getShortUserName(ugi); if (ugi.getGroupNames() != null) { this.groupNames = Arrays.asList(ugi.getGroupNames()); } } }
使用方法:
hive -hiveconf use.custom.proxy=true -hiveconf custom.proxy.user=xxx
1)use.custom.proxy 默认值为 false,即使用登录用户做权限验证
2)custom.proxy.user 不能设置为空和 hdfs
测试结果:
hive> show grant user ericni on database default; //用权限的用户 OK default ericni USER Select false 1417681722000 hdfs hive> show grant user ericni1 on database default; //无权限的用户 OK
有权限的用户 proxy到无权限用户测试, 报没有权限错误:
hive -i /home/hdfs/.hiverc2 -hiveconf hive.root.logger=WARN,console -hiveconf use.custom.proxy=true -hiveconf custom.proxy.user=ericni1 14/12/05 15:10:35 WARN ExecReducer: in ShimLoader getHadoopShims hadoopShims is class org.apache.hadoop.hive.shims.Hadoop23Shims Authorization failed:No privilege ‘Select‘ found for inputs { database:default, table:dual}. Use SHOW GRANT to get more details. 14/12/05 15:10:36 ERROR ql.Driver: Authorization failed:No privilege ‘Select‘ found for inputs { database:default, table:dual}. Use SHOW GRANT to get more details.
无权限的用户 proxy到有权限用户测试, 查询正常:
hive> select 1 from default.dual; //没有设置 proxy的时候,没有权限查询 Authorization failed:No privilege ‘Select‘ found for inputs { database:default, table:dual}. Use SHOW GRANT to get more details. hive -hiveconf use.custom.proxy=true -hiveconf custom.proxy.user=ericni //设置代理后,查询正常
仍然存在的问题:
1)Hive向hdfs 写入数据的用户和这个用户是分开的,暂时这块代码还没有动,后面继续跟进
2)代理用户运行任务会有安全的问题,需要加个map,限制用户可以代理的用户
时间: 2024-10-11 11:25:52