问题
I have a cluster running with cdh-5.7.0 and configured the following setup
- hadoop with kerberos
- hive with LDAP authentication
- hive with sentry authorization (rules stored in JDBC derby)
My goal is to restrict users to see which databases exist in my system. E.g.:
- User-A should only see database DB-A when execute
show databases - User-B should only see database DB-B when execute
show databases
I followed the article https://blog.cloudera.com/blog/2013/12/how-to-get-started-with-sentry-in-hive/ to make that happen. But without success. What I achieved was that
- User-A can only select tables from DB-A and not from DB-B.
- User-B can only select tables from DB-B and not from DB-A.
But both can still see DB-A and DB-B when executing show databases. But i want to avoid this.
Any hints from you how the rules or the setup could looks like to get that running?
Thanks Marko
回答1:
According your description and from what I've learned from existing setups, in case of Sentry v1.6+ you need to add the following property to your hive-site.xml:
<property>
<name>hive.metastore.filter.hook</name>
<value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value>
</property>
Even if you are on CDH 5.7, the MapR 5 documentation is providing some context. As well Sentry Service Interactions.
After re-starting the Hive service you should be able to see the result which you are expecting.
来源:https://stackoverflow.com/questions/43673634/configure-sentry-to-show-hide-different-databases-for-different-users