美文网首页
Apache Sentry权限表

Apache Sentry权限表

作者: Austin_Brant | 来源:发表于2017-07-19 17:48 被阅读0次

    简介

    Apache Sentry的目标是实现授权管理,它是一个策略引擎,被数据处理工具用来验证访问权限。它也是一个高度扩展的模块,可以支持任何的数据模型。当前,它支持Apache Hive和Cloudera Impala的关系数据模型,以及Apache中的有继承关系的数据模型。

    Sentry提供了定义和持久化访问资源的策略的方法。目前,这些策略可以存储在文件里或者是能使用RPC服务访问的数据库后端存储里。数据访问工具,例如Hive,以一定的模式辨认用户访问数据的请求,例如从一个表读一行数据或者删除一个表。这个工具请求Sentry验证访问是否合理。Sentry构建请求用户被允许的权限的映射并判断给定的请求是否允许访问。请求工具这时候根据Sentry的判断结果来允许或者禁止用户的访问请求。

    Sentry授权包括以下几种角色:

    • 资源:可能是Server、Database、Table、或者URL(例如:HDFS或者本地路径)。Sentry1.5中支持对列进行授权。
    • 权限:授权访问某一个资源的规则。
    • 角色:角色是一系列权限的集合。
    • 用户和组:一个组是一系列用户的集合。Sentry 的组映射是可以扩展的。默认情况下,Sentry使用Hadoop的组映射(可以是操作系统组或者LDAP中的组)。Sentry允许你将用户和组进行关联,你可以将一系列的用户放入到一个组中。Sentry不能直接给一个用户或组授权,需要将权限授权给角色,角色可以授权给一个组而不是一个用户。

    权限相关库表

    CREATE TABLE `SENTRY_DB_PRIVILEGE` (
      `DB_PRIVILEGE_ID` BIGINT NOT NULL,
      `PRIVILEGE_SCOPE` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
      `SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
      `DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
      `TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
      `COLUMN_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
      `URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
      `ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
      `CREATE_TIME` BIGINT NOT NULL,
      `WITH_GRANT_OPTION` CHAR(1) NOT NULL,
      PRIMARY KEY (`DB_PRIVILEGE_ID`),
      UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`),
      KEY `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`),
      INDEX `SENTRY_PRIV_DB_IDX` (`DB_NAME`),
      INDEX `SENTRY_PRIV_TBL_IDX` (`TABLE_NAME`),
      INDEX `SENTRY_PRIV_COL_IDX` (`COLUMN_NAME`),
      INDEX `SENTRY_PRIV_URI_IDX` (`URI`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='DB权限';
    
    CREATE TABLE `SENTRY_ROLE` (
      `ROLE_ID` BIGINT  NOT NULL PRIMARY KEY,
      `ROLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
      `CREATE_TIME` BIGINT NOT NULL,
      UNIQUE KEY `SENTRY_ROLE_ROLE_NAME_UNIQUE` (`ROLE_NAME`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='角色表';
    
    CREATE TABLE `SENTRY_GROUP` (
      `GROUP_ID` BIGINT  NOT NULL PRIMARY KEY,
      `GROUP_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
      `CREATE_TIME` BIGINT NOT NULL,
      UNIQUE KEY `SENTRY_GRP_GRP_NAME_UNIQUE` (`GROUP_NAME`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='用户组表';
    
    CREATE TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` (
      `ROLE_ID` BIGINT NOT NULL,
      `DB_PRIVILEGE_ID` BIGINT NOT NULL,
      `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin,
      PRIMARY KEY `SENTRY_ROLE_DB_PRIVILEGE_MAP_PK` (`ROLE_ID`,`DB_PRIVILEGE_ID`),
      CONSTRAINT `SEN_RLE_DB_PRV_MAP_SN_RLE_FK` FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`),
      CONSTRAINT `SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK` FOREIGN KEY (`DB_PRIVILEGE_ID`) REFERENCES `SENTRY_DB_PRIVILEGE`(`DB_PRIVILEGE_ID`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='角色和DB之间的关联';
    
    CREATE TABLE `SENTRY_ROLE_GROUP_MAP` (
      `ROLE_ID` BIGINT NOT NULL,
      `GROUP_ID` BIGINT NOT NULL,
      `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin,
      PRIMARY KEY `SENTRY_ROLE_GROUP_MAP_PK` (`ROLE_ID`,`GROUP_ID`),
      CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_ROLE_FK` FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`),
      CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_GRP_FK` FOREIGN KEY (`GROUP_ID`) REFERENCES `SENTRY_GROUP`(`GROUP_ID`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='角色和组之间的关联';
    
    CREATE TABLE IF NOT EXISTS `SENTRY_VERSION` (
      `VER_ID` BIGINT NOT NULL PRIMARY KEY,
      `SCHEMA_VERSION` VARCHAR(127) NOT NULL,
      `VERSION_COMMENT` VARCHAR(255) NOT NULL
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='SENTRY版本';
    
    
    CREATE TABLE `SENTRY_USER` (
        `USER_ID` BIGINT PRIMARY KEY NOT NULL,
        `USER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
        `CREATE_TIME` BIGINT NOT NULL,
        UNIQUE KEY `SENTRY_USER_USER_NAME_UNIQUE` (`USER_NAME`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='SENTRY用户表';
    
    
    CREATE TABLE `SENTRY_ROLE_USER_MAP` (
        `ROLE_ID` BIGINT NOT NULL,
        `USER_ID` BIGINT NOT NULL,
        `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin,
        PRIMARY KEY `SENTRY_ROLE_USER_MAP_PK`  (`ROLE_ID`,`USER_ID`),
        CONSTRAINT `SEN_ROLE_USER_MAP_SEN_ROLE_FK` FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`),
        CONSTRAINT `SEN_ROLE_USER_MAP_SEN_USER_FK` FOREIGN KEY (`USER_ID`) REFERENCES `SENTRY_USER`(`USER_ID`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='用户和角色之间的关联';
    
    
    
    INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.8.0', 'Sentry release version 1.8.0');
    
    -- Generic Model
    -- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
    CREATE TABLE `SENTRY_GM_PRIVILEGE`
    (
        `GM_PRIVILEGE_ID` BIGINT PRIMARY KEY NOT NULL,
        `ACTION` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
        `COMPONENT_NAME` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
        `CREATE_TIME` BIGINT NOT NULL,
        `WITH_GRANT_OPTION` CHAR(1) NOT NULL,
        `RESOURCE_NAME_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
        `RESOURCE_NAME_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
        `RESOURCE_NAME_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
        `RESOURCE_NAME_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
        `RESOURCE_TYPE_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
        `RESOURCE_TYPE_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
        `RESOURCE_TYPE_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
        `RESOURCE_TYPE_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
        `SCOPE` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
        `SERVICE_NAME` VARCHAR(64) BINARY CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
        -- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
        UNIQUE KEY `GM_PRIVILEGE_UNIQUE` (`COMPONENT_NAME`,`SERVICE_NAME`,`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`,`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`,`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`,`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`,`ACTION`,`WITH_GRANT_OPTION`),
        KEY `SENTRY_GM_PRIV_COMP_IDX` (`COMPONENT_NAME`),
        KEY `SENTRY_GM_PRIV_SERV_IDX` (`SERVICE_NAME`),
        KEY `SENTRY_GM_PRIV_RES0_IDX` (`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`),
        KEY `SENTRY_GM_PRIV_RES1_IDX` (`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`),
        KEY `SENTRY_GM_PRIV_RES2_IDX` (`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`),
        KEY `SENTRY_GM_PRIV_RES3_IDX` (`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
    
    
    -- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
    CREATE TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
    (
        `ROLE_ID` BIGINT NOT NULL,
        `GM_PRIVILEGE_ID` BIGINT NOT NULL,
        PRIMARY KEY `SENTRY_ROLE_GM_PRIVILEGE_MAP_PK` (`ROLE_ID`,`GM_PRIVILEGE_ID`),
        CONSTRAINT `SEN_RLE_GM_PRV_MAP_SN_RLE_FK` FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`),
        CONSTRAINT `SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK` FOREIGN KEY (`GM_PRIVILEGE_ID`) REFERENCES `SENTRY_GM_PRIVILEGE`(`GM_PRIVILEGE_ID`)
    ) ENGINE=INNODB DEFAULT CHARSET=utf8;
    

    相关文章

      网友评论

          本文标题:Apache Sentry权限表

          本文链接:https://www.haomeiwen.com/subject/jtxrkxtx.html