hive增加普通用户，只赋予select权限，无create，drop等权限

hive增加普通用户，只赋予select权限，无create，drop等权限

刚接到客户的要求，提出增加4个普通hive用户，具有select权限，不具有createdatabase/table，dropdatabase/table的权限，只保留amos用户具有select，create，drop、revoke所有权限。

往上搜索了一大堆，最后解决办法是：

1、首先amos用户登录hive，赋予自己对数据库dmp所有权限

[amos@DMP-GATEWAY amos]$ cd /opt/amos/hive/bin/[amos@DMP-GATEWAY bin]$ ./hivehive> grant all on database dmp to user amos;

2、linux添加普通用户mcduser1

在centos6.7系统上增加mcduser1用户：useradd mcduser1

3、修改hadoop上用户的权限

hadoop fs -chmod -R 777 /user/hive/warehousehadoop fs -chmod -R 777 /tmp

4、修改hive配置文件hive-site.xml，增加权限控制，然后重启hive服务:metastore，HiveServer2，hwi 。

   hive.security.authorization.enabled   true    enableordisable the hive clientauthorization   hive.security.authorization.createtable.owner.grants   ALL   theprivileges automatically granted to theownerwhenever a table gets created. Anexample like "select,drop"willgrant select and drop privilege to theowner of thetable

5、用超级用户amos登录hive，给普通用户mcduser1赋予select权限

[amos@DMP-GATEWAY amos]$ cd /opt/amos/hive/bin/[amos@DMP-GATEWAY bin]$ ./hivehive> grant select on database dmp to user mcduser1;

注意：如果权限赋于错误，可以用revoke删除权限

hive> revoke select on database dmp from user amos;

6、测试发现mcduser1用户使用select count（＊）启动的mapreduce，但是会自动失败，最后看yarn日志错误是：

Diagnostics:    Application application_1484125831039_0001 failed 3 times due to AM Containerfor appattempt_1484125831039_0001_000003 exited with exitCode: -1000For more detailed output, check application trackingpage:http://DMP-DEV01:8088/cluster/app/application_1484125831039_0001Then,click on links to logs of each attempt.Diagnostics: Application application_1484125831039_0001 initialization failed(exitCode=255) with output: User mcduser1 not foundFailing this attempt. Failing the application.

原来gatewany服务器上有mcduser1用户，但是在nodemanager上面没有该用户，使用ansible在所有的node服务器上添加该用户，注意，使用useradd-s /sbin/nologin mcduser1，不允许mcduser1在nodemanager上登录。

[root@mcddmpfe01 ~]# ansible amosDnNodes -m shell -a'useradd -s /sbin/nologin mcduser1'/opt/amos/python2.7/lib/python2.7/site-packages/pycrypto-2.6.1-py2.7-linux-x86_64.egg/Crypto/Util/number.py:57:PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.mcddmpnode05 | SUCCESS | rc=0 >>mcddmpnode01 | SUCCESS | rc=0 >>mcddmpnode03 | SUCCESS | rc=0 >>mcddmpnode02 | SUCCESS | rc=0 >>mcddmpnode04 | SUCCESS | rc=0 >>mcddmpnode07 | SUCCESS | rc=0 >>mcddmpnode06 | SUCCESS | rc=0 >>mcddmpnode08 | SUCCESS | rc=0 >>

测试通过，普通用户可以在hive上通过select count（＊） from table启动mapreduce程序。

hive> select count(*) from store_master;Query ID = hiveuser1_20170112122713_fea2188b-7e19-4a9a-896d-ec472c60d0caTotal jobs = 1Launching Job 1 out of 1Number of reduce tasks determined at compile time: 1In order to change the average load for a reducer (in bytes):  sethive.exec.reducers.bytes.per.reducer=In order to limit the maximum number of reducers:  sethive.exec.reducers.max=In order to set a constant number of reducers:  setmapreduce.job.reduces=Starting Job = job_1484051373423_1338, Tracking URL =http://mcddmpfe02:8088/proxy/application_1484051373423_1338/Kill Command = /opt/amos/hadoop/bin/hadoop job  -killjob_1484051373423_1338Hadoop job information for Stage-1: number of mappers: 1; number of reducers: 12017-01-12 12:27:36,289 Stage-1 map = 0%,  reduce = 0%2017-01-12 12:27:48,349 Stage-1 map = 100%,  reduce = 0%, Cumulative CPU4.01 sec2017-01-12 12:27:59,130 Stage-1 map = 100%,  reduce = 100%, Cumulative CPU7.86 secMapReduce Total cumulative CPU time: 7 seconds 860 msecEnded Job = job_1484051373423_1338MapReduce Jobs Launched: Stage-Stage-1: Map: 1  Reduce: 1   Cumulative CPU: 7.86 sec  HDFS Read: 0 HDFS Write: 0 SUCCESSTotal MapReduce CPU Time Spent: 7 seconds 860 msecOK2302Time taken: 47.764 seconds, Fetched: 1 row(s)hive> create database test;Authorization failed:No privilege 'Create' found for outputs { }. Use SHOWGRANT to get more details.

8、至于用户的Hive操作日志，目前记录在用户目录的.hivehistory文件下即/home/$user/.hivehistory。

例如：mcduser1用户在hive命令行的操作日志记录在：/home/hiveuser1/.hivehistoy

9、现在发现一个问题，就是普通用户可以添加权限，这个问题还没有找到合适的解决办法，可能需要开发写一段hook程序了。