侧边栏壁纸
博主头像
王一川博主等级

努力成为一个不会前端的全栈工程师

  • 累计撰写 70 篇文章
  • 累计创建 20 个标签
  • 累计收到 39 条评论

目 录CONTENT

文章目录

拓展 hive 权限功能

王一川
2022-07-21 / 0 评论 / 2 点赞 / 1,343 阅读 / 1,354 字
温馨提示:
本文最后更新于 2022-07-21,若内容或图片失效,请留言反馈。部分素材来自网络,若不小心影响到您的利益,请联系我们删除。

在使用 hiveserver2 连接到 hive 时默认是不需要密码的,当然在生产环境可以使用第三方组件如:ranger、kerberos 等来实现对 hive 的权限控制。这里给一个简单的方式来实现使用用户名密码才能连接到 hive

一、原理

本文的原理来自源码中的一个接口

package org.apache.hive.service.auth;

import javax.security.sasl.AuthenticationException;

public interface PasswdAuthenticationProvider {

  /**
   * The Authenticate method is called by the HiveServer2 authentication layer
   * to authenticate users for their requests.
   * If a user is to be granted, return nothing/throw nothing.
   * When a user is to be disallowed, throw an appropriate {@link AuthenticationException}.
   * <p/>
   * For an example implementation, see {@link LdapAuthenticationProviderImpl}.
   *
   * @param user     The username received over the connection request
   * @param password The password received over the connection request
   *
   * @throws AuthenticationException When a user is found to be
   *                                 invalid by the implementation
   */
  void Authenticate(String user, String password) throws AuthenticationException;
}

并且观察该接口的一个实现 CustomAuthenticationProviderImpl

package org.apache.hive.service.auth;

import java.lang.reflect.InvocationTargetException;

import javax.security.sasl.AuthenticationException;

import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.util.ReflectionUtils;

/**
 * This authentication provider implements the {@code CUSTOM} authentication. It allows a {@link
 * PasswdAuthenticationProvider} to be specified at configuration time which may additionally
 * implement {@link org.apache.hadoop.conf.Configurable Configurable} to grab Hive's {@link
 * org.apache.hadoop.conf.Configuration Configuration}.
 */
public class CustomAuthenticationProviderImpl implements PasswdAuthenticationProvider {

  private final PasswdAuthenticationProvider customProvider;

  @SuppressWarnings("unchecked")
  CustomAuthenticationProviderImpl(HiveConf conf) {
    Class<? extends PasswdAuthenticationProvider> customHandlerClass =
      (Class<? extends PasswdAuthenticationProvider>) conf.getClass(
      HiveConf.ConfVars.HIVE_SERVER2_CUSTOM_AUTHENTICATION_CLASS.varname,
      PasswdAuthenticationProvider.class);
    PasswdAuthenticationProvider customProvider;
    try {
      customProvider = customHandlerClass.getConstructor(HiveConf.class).newInstance(conf);
    } catch (NoSuchMethodException | InstantiationException | IllegalAccessException | InvocationTargetException e) {
      customProvider = ReflectionUtils.newInstance(customHandlerClass, conf);
    }
    this.customProvider = customProvider;
  }

  @Override
  public void Authenticate(String user, String password) throws AuthenticationException {
    customProvider.Authenticate(user, password);
  }

}

其逻辑就是如果 hiveserver2 的权限认证是 CUSTOM,会读取配置文件的 hive.server2.custom.authentication.class 配置通过反射的形式实例化并调用 Authenticate;因此赋予 hiveserver2 具有用户名密码的功能只需要在 Authenticate 中实现具体的逻辑就好了。

二、实现

本文采用的是在 hive 的元数据所在的数据库中添加一个 custom_auth 表(因为可以在配置文件中获取到对应的数据库连接信息),将自定义的用户名和密码密文存储其中,在 Authenticate 方法中进行判断即可,

项目依赖如下:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>

  <groupId>org.example</groupId>
  <artifactId>hive-auth</artifactId>
  <version>1.0-SNAPSHOT</version>

  <properties>
    <maven.compiler.source>8</maven.compiler.source>
    <maven.compiler.target>8</maven.compiler.target>
  </properties>
  <repositories>
    <repository>
      <id>io.spring.repo.maven.release</id>
      <url>https://repository.apache.org/snapshots/</url>
      <releases>
        <enabled>true</enabled>
        <updatePolicy>always</updatePolicy>
      </releases>
      <snapshots><enabled>false</enabled></snapshots>
    </repository>
  </repositories>

  <dependencies>
    <dependency>
      <groupId>org.apache.hive</groupId>
      <artifactId>hive-service</artifactId>
      <version>3.1.2</version>
      <exclusions>
        <exclusion>
          <groupId>org.glassfish</groupId>
          <artifactId>javax.el</artifactId>
        </exclusion>
      </exclusions>
    </dependency>
  </dependencies>
</project>

这里的依赖在打包的时候都不需要被打包,编译期间存在即可(hive的lib下都有,包括数据库驱动)

代码如下:

package tech.kpretty.auth;

import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hive.service.auth.PasswdAuthenticationProvider;

import javax.security.sasl.AuthenticationException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.sql.*;

/**
 * @author wjun
 * @date 2022/7/18 17:12
 * @email wjunjobs@outlook.com
 * @describe 自定义 hiveserver2 权限
 */
public class CustomPasswdAuthenticator implements PasswdAuthenticationProvider {
  private static final String METADATA_URL_CONF = "javax.jdo.option.ConnectionURL";
  private static String METADATA_URL;
  private static final String METADATA_DRIVER_CONF = "javax.jdo.option.ConnectionDriverName";
  private static String METADATA_DRIVER;
  private static final String METADATA_USERNAME_CONF = "javax.jdo.option.ConnectionUserName";
  private static String METADATA_USERNAME;
  private static final String METADATA_PWD_CONF = "javax.jdo.option.ConnectionPassword";
  private static String METADATA_PWD;

  private static final String AUTH_SQL = "select 1 from custom_auth t where t.user_name = ? and t.pwd = ?";

  public CustomPasswdAuthenticator() {
    Configuration configuration = new Configuration(new HiveConf());
    METADATA_URL = configuration.get(METADATA_URL_CONF);
    METADATA_DRIVER = configuration.get(METADATA_DRIVER_CONF);
    METADATA_USERNAME = configuration.get(METADATA_USERNAME_CONF);
    METADATA_PWD = configuration.get(METADATA_PWD_CONF);
  }

  @Override
  public void Authenticate(String user, String password) throws AuthenticationException {
    try (Connection connection = initConnection()) {
      PreparedStatement ps = connection.prepareStatement(AUTH_SQL);
      ps.setString(1, user);
      ps.setString(2, md5(password));
      ResultSet rs = ps.executeQuery();
      if (!rs.next()) {
        throw new AuthenticationException("用户名或密码不正确!!!");
      }
    } catch (SQLException throwables) {
      throw new RuntimeException("数据库连接异常");
    }
  }

  private static Connection initConnection() {
    try {
      Class.forName(METADATA_DRIVER);
      return DriverManager.getConnection(METADATA_URL, METADATA_USERNAME, METADATA_PWD);
    } catch (Exception e) {
      throw new RuntimeException(e);
    }
  }
  // md5 32位小写加密
  private static String md5(String inStr) {
    MessageDigest md5;
    try {
      md5 = MessageDigest.getInstance("MD5");
    } catch (Exception e) {
      e.printStackTrace();
      return "";
    }

    byte[] byteArray = inStr.getBytes(StandardCharsets.UTF_8);
    byte[] md5Bytes = md5.digest(byteArray);
    StringBuilder hexValue = new StringBuilder();
    for (byte md5Byte : md5Bytes) {
      int val = ((int) md5Byte) & 0xff;
      if (val < 16) {
        hexValue.append("0");
      }
      hexValue.append(Integer.toHexString(val));
    }
    return hexValue.toString();
  }
}

三、实施

将上述代码打包放入 hive 的 lib 下,修改 hive-site.xml 配置文件,添加如下配置

<property>
  <name>hive.server2.authentication</name>
  <value>CUSTOM</value>
</property>

<property>
  <name>hive.server2.custom.authentication.class</name>
  <value>tech.kpretty.auth.CustomPasswdAuthenticator</value>
</property>

在 hive 元数据的数据库中建表

create table custom_auth
(
    user_name varchar(10),
    pwd       varchar(32)
);

插入自定义用户名和密码密文,密文这里采用 md5 32位小写加密;最简单的方式就是跑一下代码里面的 md5 方法

image-20220721173144172

重启 hiveserver2 即可

测试结果如下

image-20220721173343308

2

评论区