隶属于文章系列：大数据安全实战 https://www.jianshu.com/p/76627fd8399c

配置安全的Hive集群集成Sentry-博客-云栖社区-阿里云
Apache Sentry手动安装、使用手册 - CSDN博客

#!/bin/bash

kadmin.local -q "addprinc -randkey sentry/v-hadoop-kbds.sz.kingdee.net"
kadmin.local -q "addprinc -randkey sentry/v-hadoop2-kbds.sz.kingdee.net "
kadmin.local -q "addprinc -randkey sentry/v-hadoop3-kbds.sz.kingdee.net "
kadmin.local -q "addprinc -randkey sentry/v-hadoop4-kbds.sz.kingdee.net "
kadmin.local -q "addprinc -randkey sentry/v-hadoop5-kbds.sz.kingdee.net "

kadmin.local -q "ktadd -k /etc/hadoop/conf/sentry-service.keytab  sentry/v-hadoop-kbds.sz.kingdee.net"
kadmin.local -q "ktadd -k /etc/hadoop/conf/sentry-service.keytab  sentry/v-hadoop2-kbds.sz.kingdee.net "
kadmin.local -q "ktadd -k /etc/hadoop/conf/sentry-service.keytab  sentry/v-hadoop3-kbds.sz.kingdee.net "
kadmin.local -q "ktadd -k /etc/hadoop/conf/sentry-service.keytab  sentry/v-hadoop4-kbds.sz.kingdee.net "
kadmin.local -q "ktadd -k /etc/hadoop/conf/sentry-service.keytab  sentry/v-hadoop5-kbds.sz.kingdee.net "

<property>
    <name>sentry.service.security.mode</name>
    <value>kerberos</value>
</property>

<property>
    <name>sentry.verify.schema.version</name>
    <value>true</value>
</property>

<property>
     <name>sentry.service.server.principal</name>
     <value>sentry/_HOST@TT.COM</value>
</property>

<property>
    <name>sentry.service.server.keytab</name>
    <value>/etc/hadoop/conf/sentry-service.keytab</value>
</property>

<property>
    <name>sentry.policy.store.plugins</name>
    <value>org.apache.sentry.hdfs.SentryPlugin</value>
</property>

<property>
  <name>sentry.hdfs.integration.path.prefixes</name>
  <value>/user/hive/warehouse</value>
</property>

[kduser@v-hadoop-kbds apache-sentry-2.0.0-bin]$ bin/sentry --command service --conffile conf/sentry-site.xml
18/03/15 15:46:05 INFO thrift.SentryService: Configured on address v-hadoop-kbds.sz.kingdee.net/172.20.178.28:8038
18/03/15 15:46:05 INFO thrift.SentryService: Using kerberos principal: sentry/v-hadoop-kbds.sz.kingdee.net@TT.COM
18/03/15 15:46:05 INFO DataNucleus.Persistence: Property datanucleus.fixedDatastore unknown - will be ignored
18/03/15 15:46:05 INFO DataNucleus.Persistence: Property datanucleus.cache.level2 unknown - will be ignored
18/03/15 15:46:08 WARN DataNucleus.MetaData: Metadata has jdbc-type of null yet this is not valid. Ignored
18/03/15 15:46:08 INFO thrift.LeaderStatusMonitor: Leader election protocol disabled, assuming single active server
18/03/15 15:46:08 INFO thrift.SentryService: Attempting to start...
18/03/15 15:46:08 INFO thrift.SentryKerberosContext: Logging in with new Context
Debug is  true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /etc/hadoop/conf/sentry-service.keytab refreshKrb5Config is true principal is sentry/v-hadoop-kbds.sz.kingdee.net@TT.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Acquire TGT from Cache
Principal is sentry/v-hadoop-kbds.sz.kingdee.net@TT.COM
null credentials from Ticket Cache
principal is sentry/v-hadoop-kbds.sz.kingdee.net@TT.COM
Will use keytab
Commit Succeeded

18/03/15 15:46:08 INFO thrift.SentryService: sentry store cleaner is scheduled with interval 43200 seconds
18/03/15 15:46:08 INFO persistent.SentryStore: Purging MSentryPathUpdate and MSentyPermUpdate tables, leaving 200 entries
18/03/15 15:46:08 INFO conf.HiveConf: Found configuration file null
18/03/15 15:46:08 INFO persistent.SentryStore: MSentryPermChange table has been purged.
18/03/15 15:46:08 INFO persistent.SentryStore: MSentryPathUpdate table has been purged.
18/03/15 15:46:09 INFO thrift.SentryService: Metastore uri is not configured. Do not start HMSFollower
18/03/15 15:46:09 INFO thrift.SentryService: ProcessorFactory being used: org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessorFactory
18/03/15 15:46:09 INFO hdfs.SentryPlugin: Sentry HDFS plugin initialized !!
18/03/15 15:46:09 INFO thrift.SentryService: ProcessorFactory being used: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessorFactory
18/03/15 15:46:09 INFO DataNucleus.Persistence: Property datanucleus.fixedDatastore unknown - will be ignored
18/03/15 15:46:09 INFO DataNucleus.Persistence: Property datanucleus.cache.level2 unknown - will be ignored
18/03/15 15:46:10 WARN DataNucleus.MetaData: Metadata has jdbc-type of null yet this is not valid. Ignored
18/03/15 15:46:10 INFO thrift.SentryService: Serving on v-hadoop-kbds.sz.kingdee.net/172.20.178.28:8038
18/03/15 15:46:10 INFO thrift.SentryService: Sentry service is ready to serve client requests
Sentry service is ready to serve client requests

core-site.xml

<property>
  <name>hadoop.proxyuser.httpfs.hosts</name>
  <value>*</value>
</property>
<property>
  <name>hadoop.proxyuser.httpfs.groups</name>
  <value>*</value>
</property>
<property>
  <name>hadoop.proxyuser.hue.hosts</name>
  <value>*</value>
</property>
<property>
  <name>hadoop.proxyuser.hue.groups</name>
  <value>*</value>
</property>