forked from docs/doc-exports
Yang, Tong
48706b7552
Reviewed-by: Kacur, Michal <michal.kacur@t-systems.com> Co-authored-by: Yang, Tong <yangtong2@huawei.com> Co-committed-by: Yang, Tong <yangtong2@huawei.com>
69 lines
16 KiB
HTML
69 lines
16 KiB
HTML
<a name="mrs_01_1725"></a><a name="mrs_01_1725"></a>
|
|
|
|
<h1 class="topictitle1">MetaStore Permission Overview</h1>
|
|
<div id="body32001227"><p id="mrs_01_1725__en-us_topic_0000001173949650_p17731921132611">Constraints: This parameter applies only to the Hive data source.</p>
|
|
<p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p131897501620">When multiple <span id="mrs_01_1725__en-us_topic_0000001173949650_text821584411293">HetuEngine</span> clusters are deployed for collaborative computing, the metadata is centrally managed by the management cluster. Data computing is performed in all clusters. The user permission for accessing <span id="mrs_01_1725__en-us_topic_0000001173949650_text6512184911299">HetuEngine</span> clusters must be configured in the management cluster. Users who belong to the Hive user group and share the same name are added to all compute instances.</p>
|
|
<div class="section" id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_section85109541151"><h4 class="sectiontitle">MetaStore Permission</h4><p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p75275541512">Similar to Hive, <span id="mrs_01_1725__en-us_topic_0000001173949650_text9476205411292">HetuEngine</span> is a data warehouse framework built on Hadoop, providing storage of structured data like SQL.</p>
|
|
<p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p15271547517">Permissions in a cluster must be assigned to roles which are bound to users or user groups. Users can obtain permissions only by binding a role or joining a group that is bound with a role.</p>
|
|
</div>
|
|
<div class="section" id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_section12441166619"><h4 class="sectiontitle">Permission Management</h4><p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p3631863612"><span id="mrs_01_1725__en-us_topic_0000001173949650_text163011658112913">HetuEngine</span> permission management is performed by the permission system to manage users' operations on the database, ensuring that different users can operate databases independently and securely. A user can operate another user's tables and databases only with the corresponding permissions. Otherwise, operations will be rejected.</p>
|
|
<p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p763961269"><span id="mrs_01_1725__en-us_topic_0000001173949650_text20106155203016">HetuEngine</span> permission management integrates the functions of Hive permission management. MetaStore service of Hive and the function of granting permissions on the web page are required to enable the <span id="mrs_01_1725__en-us_topic_0000001173949650_text183017953017">HetuEngine</span> permission management.</p>
|
|
</div>
|
|
<ul id="mrs_01_1725__en-us_topic_0000001173949650_ul13416516720"><li id="mrs_01_1725__en-us_topic_0000001173949650_li331511876">Granting permissions on the web page: <span id="mrs_01_1725__en-us_topic_0000001173949650_text4385112717">HetuEngine</span> only supports granting permissions on the web page. On Manager, choose <strong id="mrs_01_1725__en-us_topic_0000001173949650_b19379312850">System</strong> > <strong id="mrs_01_1725__en-us_topic_0000001173949650_b1537911124515">Permission</strong> to add or delete a user, user group, or a role, and to grant permissions or cancel permissions.</li><li id="mrs_01_1725__en-us_topic_0000001173949650_li17414519715">Obtaining and judging a service: When the DDL and DML commands are received from the client, <span id="mrs_01_1725__en-us_topic_0000001173949650_text1931451472">HetuEngine</span> will obtain the client user's permissions on database information from MetaStore, and check whether the required permissions are included. If the required permissions have been obtained, the user's operations are allowed. If the permissions are not obtained, the user's operation will be rejected. After the MetaStore permissions are checked, ACL permission also needs to be checked on HDFS.</li></ul>
|
|
<div class="section" id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_section2684411775"><h4 class="sectiontitle"><span id="mrs_01_1725__en-us_topic_0000001173949650_text7552131683115">HetuEngine</span> Permission Model</h4><p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p129824110711">If a user uses <span id="mrs_01_1725__en-us_topic_0000001173949650_text1692081810315">HetuEngine</span> to perform SQL query, the user must be granted with permissions of <span id="mrs_01_1725__en-us_topic_0000001173949650_text92942222315">HetuEngine</span> databases and tables (include external tables and views). The complete permission model of <span id="mrs_01_1725__en-us_topic_0000001173949650_text77942512316">HetuEngine</span> consists of the metadata permission and HDFS file permission. Permissions required to use a database or a table are just one type of <span id="mrs_01_1725__en-us_topic_0000001173949650_text24941181468">HetuEngine</span> permission.</p>
|
|
<ul id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_ul17985411871"><li id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_li10987413720">Metadata permissions<p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p169815417713"><a name="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_li10987413720"></a><a name="en-us_topic_0000001173949650_en-us_topic_0254454554_li10987413720"></a>Metadata permissions are controlled at the metadata level. Similar to traditional relational databases, the <span id="mrs_01_1725__en-us_topic_0000001173949650_text671951184610">HetuEngine</span> database contains the CREATE and SELECT permissions. Tables and columns contain the SELECT, INSERT, UPDATE, and DELETE permissions. <span id="mrs_01_1725__en-us_topic_0000001173949650_text1920161519469">HetuEngine</span> also supports the permissions of OWNERSHIP and ADMIN.</p>
|
|
</li><li id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_li109884117717">Data file permissions (that is, HDFS file permissions)<p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p129894110715"><a name="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_li109884117717"></a><a name="en-us_topic_0000001173949650_en-us_topic_0254454554_li109884117717"></a><span id="mrs_01_1725__en-us_topic_0000001173949650_text204582182465">HetuEngine</span> database and table files are stored in HDFS. The created databases or tables are saved in the <strong id="mrs_01_1725__en-us_topic_0000001173949650_b18222215710">/user/hive/warehouse</strong> directory of HDFS by default. The system automatically creates subdirectories named after database names and database table names. To access a database or a table, the corresponding file permissions (READ, WRITE, and EXECUTE) on HDFS are required.</p>
|
|
</li></ul>
|
|
<p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p149811415715">To perform various operations on <span id="mrs_01_1725__en-us_topic_0000001173949650_text18320192313462">HetuEngine</span> databases or tables, you need to associate the metadata permission and the HDFS file permission. For example, to query <span id="mrs_01_1725__en-us_topic_0000001173949650_text4369725144617">HetuEngine</span> data tables, you need to associate the metadata permission SELECT with the READ and EXECUTE permissions on HDFS files.</p>
|
|
<p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p119811411677">To use the management function of FusionInsight Manager GUI to manage the permissions of <span id="mrs_01_1725__en-us_topic_0000001173949650_text7840185514914">HetuEngine</span> databases and tables, you only need to configure the metadata permission, and the system will automatically associate and configure the HDFS file permission. In this way, operations on the interface are simplified, improving efficiency.</p>
|
|
</div>
|
|
<div class="section" id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_section8528760810"><h4 class="sectiontitle"><span id="mrs_01_1725__en-us_topic_0000001173949650_text110715610107">HetuEngine</span> Application Scenarios and Related Permissions</h4><p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p11612106883">A user needs to join in the Hive group if a database is created using the <span id="mrs_01_1725__en-us_topic_0000001173949650_text12817252151510">HetuEngine</span> service, and role authorization is not required. Users have all permissions on the databases or tables created by themselves in Hive or HDFS. They can create tables, select, delete, insert, or update data, and grant permissions to other users to allow them to access the tables and corresponding HDFS directories and files.</p>
|
|
<p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p8612106287">A user can access the tables or database only with permissions. Permissions required for the user vary depending on different <span id="mrs_01_1725__en-us_topic_0000001173949650_text1099371013108">HetuEngine</span> scenarios.</p>
|
|
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_table1153076681" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Typical <span id="mrs_01_1725__en-us_topic_0000001173949650_text8710202141018">HetuEngine</span> scenarios and required permissions</caption><thead align="left"><tr id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_row361215620813"><th align="left" class="cellrowborder" valign="top" width="31%" id="mcps1.3.7.4.2.3.1.1"><p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p261213617811"><strong id="mrs_01_1725__en-us_topic_0000001173949650_b12449791111">Scenario</strong></p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="69%" id="mcps1.3.7.4.2.3.1.2"><p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p96121614820"><strong id="mrs_01_1725__en-us_topic_0000001173949650_b14518158116">Required Permission</strong></p>
|
|
</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_row06121616815"><td class="cellrowborder" valign="top" width="31%" headers="mcps1.3.7.4.2.3.1.1 "><p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p11612961287">Using <span id="mrs_01_1725__en-us_topic_0000001173949650_text7823251106">HetuEngine</span> tables, columns, or databases</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="69%" headers="mcps1.3.7.4.2.3.1.2 "><p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p46120614815">Permissions required in different scenarios are as follows:</p>
|
|
<ul id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_ul136121461786"><li id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_li36121761812">To create a table, the CREATE permission is required.</li><li id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_li13612661387">To query data, the SELECT permission is required.</li><li id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_li66127616810">To insert data, the INSERT permission is required.</li></ul>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p36127616819">In some special <span id="mrs_01_1725__en-us_topic_0000001173949650_text879862921018">HetuEngine</span> scenarios, other permissions must be configured separately.</p>
|
|
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_table155401661782" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Typical <span id="mrs_01_1725__en-us_topic_0000001173949650_text1167513336106">HetuEngine</span> authentication scenarios and required permissions</caption><thead align="left"><tr id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_row9613106882"><th align="left" class="cellrowborder" valign="top" width="31.31%" id="mcps1.3.7.6.2.3.1.1"><p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p36139610816"><strong id="mrs_01_1725__en-us_topic_0000001173949650_b42017520117">Scenario</strong></p>
|
|
</th>
|
|
<th align="left" class="cellrowborder" valign="top" width="68.69%" id="mcps1.3.7.6.2.3.1.2"><p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p6613156287"><strong id="mrs_01_1725__en-us_topic_0000001173949650_b49361176123">Required Permission</strong></p>
|
|
</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_row2613176987"><td class="cellrowborder" valign="top" width="31.31%" headers="mcps1.3.7.6.2.3.1.1 "><p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p561311616820">Creating <span id="mrs_01_1725__en-us_topic_0000001173949650_text71565376109">HetuEngine</span> databases, tables, and foreign tables, or adding partitions to created tables or foreign tables when data files specified by Hive users are saved to other HDFS directories except <strong id="mrs_01_1725__en-us_topic_0000001173949650_b1261161910126">/user/hive/warehouse</strong>.</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="68.69%" headers="mcps1.3.7.6.2.3.1.2 "><p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p11719114710815">The directory must exist, the client user must be the owner of the directory, and the user must have the READ, WRITE, and EXECUTE permissions on the directory. The user must have the READ and EXECUTE permissions of all the upper-layer directories of the directory.</p>
|
|
</td>
|
|
</tr>
|
|
<tr id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_row261319616817"><td class="cellrowborder" valign="top" width="31.31%" headers="mcps1.3.7.6.2.3.1.1 "><p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p26131262818">Performing operations on all databases and tables in Hive</p>
|
|
</td>
|
|
<td class="cellrowborder" valign="top" width="68.69%" headers="mcps1.3.7.6.2.3.1.2 "><p id="mrs_01_1725__en-us_topic_0000001173949650_en-us_topic_0254454554_p16133610816">The user must be added to the <strong id="mrs_01_1725__en-us_topic_0000001173949650_b843718601413">supergroup</strong> user group, and be assigned the ADMIN permission.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<div class="section" id="mrs_01_1725__en-us_topic_0000001173949650_section18320171294615"><h4 class="sectiontitle">Enabling MetaStore Authentication</h4><ol id="mrs_01_1725__en-us_topic_0000001173949650_ol19807102214236"><li id="mrs_01_1725__en-us_topic_0000001173949650_li198072229237"><span>Log in to FusionInsight Manager.</span></li><li id="mrs_01_1725__en-us_topic_0000001173949650_li9807622152311"><span>Choose <strong id="mrs_01_1725__en-us_topic_0000001173949650_b1840661613142">Cluster</strong> > <strong id="mrs_01_1725__en-us_topic_0000001173949650_b341251601414">Services</strong> > <strong id="mrs_01_1725__en-us_topic_0000001173949650_b121641524201410"><span id="mrs_01_1725__en-us_topic_0000001173949650_text16953134620505">HetuEngine</span></strong> > <strong id="mrs_01_1725__en-us_topic_0000001173949650_b154131416151418">More</strong> > <strong id="mrs_01_1725__en-us_topic_0000001173949650_b5413201671417">Disable Ranger</strong>.</span></li><li id="mrs_01_1725__en-us_topic_0000001173949650_li04242036171019"><span>Choose <strong id="mrs_01_1725__en-us_topic_0000001173949650_b122151230408">Cluster</strong> > <strong id="mrs_01_1725__en-us_topic_0000001173949650_b321563194019">Services</strong> > <strong id="mrs_01_1725__en-us_topic_0000001173949650_b10215193174011"><span id="mrs_01_1725__en-us_topic_0000001173949650_text1621514324011">HetuEngine</span></strong> > <strong id="mrs_01_1725__en-us_topic_0000001173949650_b11215143114016">More</strong> > <strong id="mrs_01_1725__en-us_topic_0000001173949650_b204611463327">Restart Service</strong>.</span></li><li id="mrs_01_1725__en-us_topic_0000001173949650_li7424153620104"><span>Restart the compute instance on HSConsole. For details, see <a href="mrs_01_1736.html">Managing a HetuEngine Compute Instance</a>.</span></li></ol>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="mrs_01_1724.html">HetuEngine MetaStore-based Permission Control</a></div>
|
|
</div>
|
|
</div>
|
|
|