本文介绍在开启hbase权限控制时,hbase shell、phoenix shell、phoenix jdbc代码使用指南。
hbase版本:Version 1.2.0-cdh5.7.0
phoenix版本:4.8.2
1. 开启hbase acl访问控制
1.1 当没有开启hbase acl访问控制时,如果直接使用java 代码调用权限相关api会提示报错:
org.apache.hadoop.hbase.TableNotFoundException: hbase:acl
1.2 如果使用hbase shell操作,报错信息如下:
hbase(main):002:0> scan ‘hbase:acl’
ROW COLUMN+CELL
ERROR: Unknown table hbase:acl!
1.3 修改hbase-site.xml,添加下面配置项。重启hbase启用hbase acl
<property>
<name>hbase.security.authentication</name>
<value>simple</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController, org.apache.hadoop.hbase.security.token.TokenProvider</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
<name>hbase.coprocessor.regionserver.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
<name>hbase.security.exec.permission.checks</name>
<value>true</value>
</property>
<property>
<name>hfile.format.version</name>
<value>3</value>
</property>
1.4 测试hbase acl权限是否生效
使用hbase(superuser)用户登录hbase客户端> hbase shell
hbase(main):002:0> scan 'hbase:acl'
ROW COLUMN+CELL
0 row(s) in 0.1560 seconds
2. 配置hbase的namespace映射为phoenix数据库
2.1 修改hbase-site.xml,增加下面配置项并重启bhase,修改后hbase namespace会映射为数据库的schema
<property>
<name>phoenix.schema.isNamespaceMappingEnabled</name>
<value>true</value>
</property>
<property>
<name>phoenix.schema.mapSystemTablesToNamespace</name>
<value>true</value>
</property>
3. hbase shell常用操作
3.1 list //查看所有hbase表
3.2 list_namespace //查看所有命名空间
3.3 create_namespace ‘ns1’ //创建命名空间,相对于数据库的schema
3.4 create ‘ns1:t1’, ‘cf1’ //在命名空间ns1下创建hbase表t1,需要指定一个column family,否则报错
3.5 put ‘ns1:t1’, ‘r1’, ‘cf1:c1’, ‘aaaaaaaa’ // 插入一行数据到ns1:t1表,rowkey为r1,列族cf1,字段为c1:
3.6 get ‘ns1:t1’, ‘r1’ //获取ns1:t1表,rowkey为r1的数据
4. hbase shell授权操作
4.1 hbase acl有RWXCA共5种权限,分别对应读、写、执行、创建、管理
grant ‘user1’, ‘R’, ‘t1’ //对表t1给user1用户授予’RWXCA’权限
4.2 在hbase shell输入grant列表可以看到详细的授权语法
hbase(main):001:0> grant
ERROR: First argument should be a String
Here is some help for this command:
Grant users specific rights.
Syntax : grant <user>, <permissions> [, <@namespace> [, <table> [, <column family> [, <column qualifier>]]]
permissions is either zero or more letters from the set "RWXCA".
READ('R'), WRITE('W'), EXEC('X'), CREATE('C'), ADMIN('A')
Note: Groups and users are granted access in the same way, but groups are prefixed with an '@'
character. In the same way, tables and namespaces are specified, but namespaces are
prefixed with an '@' character.
For example:
hbase> grant 'bobsmith', 'RWXCA'
hbase> grant '@admins', 'RWXCA'
hbase> grant 'bobsmith', 'RWXCA', '@ns1'
hbase> grant 'bobsmith', 'RW', 't1', 'f1', 'col1'
hbase> grant 'bobsmith', 'RW', 'ns1:t1', 'f1', 'col1'
4.3 权限查看
user_permission ‘db1:t1’ //查看该表上有权限的用户
user_permission ‘@db1’ //查看该namespace有权限的用户
scan ‘hbase:acl’ //扫描所有权限列表
5. phoenix shell操作
5.1 使用操作系统hbase用户登录phoenix客户端,!table命令查看所有有权限的表
[hbase@vm71 ~]$ /usr/lib/phoenix/bin/sqlline.py
0: jdbc:phoenix:> !table
+------------+--------------+-------------+---------------+----------+------------+----------------------------+-----------------+--------------+-----------------+------------+
| TABLE_CAT | TABLE_SCHEM | TABLE_NAME | TABLE_TYPE | REMARKS | TYPE_NAME | SELF_REFERENCING_COL_NAME | REF_GENERATION | INDEX_STATE | IMMUTABLE_ROWS | SALT_BUCKE |
+------------+--------------+-------------+---------------+----------+------------+----------------------------+-----------------+--------------+-----------------+------------+
| | SYSTEM | CATALOG | SYSTEM TABLE | | | | | | false | null |
| | SYSTEM | FUNCTION | SYSTEM TABLE | | | | | | false | null |
| | SYSTEM | SEQUENCE | SYSTEM TABLE | | | | | | false | null |
| | SYSTEM | STATS | SYSTEM TABLE | | | | | | false | null |
| | | DDD | TABLE | | | | | | false | null |
+------------+--------------+-------------+---------------+----------+------------+----------------------------+-----------------+--------------+-----------------+------------+
0: jdbc:phoenix:>
5.2 如果要使用其它系统账号执行sqlline.py ,需要根据报错提示信息额外授权,或者直接grant ‘user1’, ‘RWXCA’, ‘@SYSTEM’
6. phoenix与hbase表的映射
6.1 phoenix项目构造在hbase之上,元信息报错SYSTEM命名空间下的CATALOG、FUNCTION、MUTEX、SEQUENCE、STATS表内。所有phoenix表一定是hbase表,hbase表不一定是hbase表。
已存在的hbase表需要设置phoenix映射才能读取到,否则提示找不到表
–建立映射
CREATE TABLE “t01” ( “ROW” varchar primary key, “cf1”.“c1” varchar);
7. 使用指定账号执行phoenix jdbc代码
// 使用代理用户userxxx执行查询
String proxyUser = "userxxx";
String querySQL = "select * from t01";
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(proxyUser);
ugi.doAs(new PrivilegedAction<Void>() {
@Override
public Void run() {
Connection conn = null;
try {
Class.forName("org.apache.phoenix.jdbc.PhoenixDriver");
Properties properties = new Properties();
properties.setProperty("phoenix.schema.mapSystemTablesToNamespace", "true");
properties.setProperty("phoenix.schema.isNamespaceMappingEnabled", "true");
conn = DriverManager.getConnection(url, properties);
PreparedStatement statement = conn.prepareStatement(querySQL);
ResultSet rs = statement.executeQuery();
// print resultset
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException e) {
e.printStackTrace();
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException e) {
e.printStackTrace();
}
}
return null;
}
});
8. phoenix存在的问题一栏
使用phoenix jdbc创建表如果没指定列族,列族column family默认是:0
phoenix表不同列族下可有同名的列,但是jdbc sql查询出来没有列族名
select * from t1 没权限的列也会查询出来
default库使用空串“”代替,比如查询default库下的t1表:select * from “”.“t1”
库名、表名必须使用双引号包裹起来,否则会转换为大写的库名、表名导致找不到表,比较蛋疼
phoenix指定用户操作hbase,4.8.2版本QueryServer的phoenix.queryserver.withRemoteUserExtractor有bug,只有开启了kerberos才能起效