Apache Sentry Basics and Setup

RPC server stores authorization in relation database.

Apache Sentry is a granular, role-based authorization module for Hadoop. Sentry provides the ability to control and enforce precise levels of privileges on data for authenticated users and applications on a Hadoop cluster. Sentry currently works out of the box with Apache Hive, Hive Metastore/HCatalog, Apache Solr, Impala and HDFS (limited to Hive table data). 

Consider users Alice and Bob who belong to an Active Directory (AD) group called finance-department. Bob also belongs to a group called finance-managers. In Sentry, you first create roles and then grant privileges to these roles. 

Sentry relies on underlying authentication systems such as Kerberos or LDAP to identify the user. 

There are components involved in the authorization process:

·        Sentry Server: The Sentry RPC server manages the authorization metadata. It supports interface to securely retrieve and manipulate the metadata;

·        Data Engine: This is a data processing application such as Hive or Impala that needs to authorize access to data or metadata resources. The data engine loads the Sentry plugin and all client requests for accessing resources are intercepted and routed to the Sentry plugin for validation;

·        Sentry Plugin: The Sentry plugin runs in the data engine. It offers interfaces to manipulate authorization metadata stored in the Sentry server, and includes the authorization policy engine that evaluates access requests using the authorization metadata retrieved from the server.

 

Sentry Setup:

ADMIN GROUP in Sentry :( add new if required)

IN YARN make sure sentry admin user allowed:

 

DESABLE for hive:

User impersonation enables Hive to submit jobs as a particular user. Without impersonation, Hive submits queries and hadoop commands as the user that started HiveServer2 and Hive Metastore.

he impersonated user must have write permissions to /user/hive/warehouse

Enable Sentry for hive, Hue and impala:

Now follow below steps in hive :

STEP1 : Create ROLE:

CREATE ROLE admin_role;

SHOW ROLES;

SHOW GRANT ROLE admin_role;

STEP2: Give access to Role

1.      GRANT ALL ON SERVER server1 TO ROLE admin_role;

2.      GRANT ALL ON DATABASE testdb1 TO ROLE admin_role;

3.      GRANT ALL ON TABLE testdb1.testtable1 TO ROLE admin_role;

GRANT SELECT <column name> ON TABLE <table name> TO ROLE <role name>;

REVOKE SELECT <column name> ON TABLE <table name> FROM ROLE <role name>;

Server1 is server name for sentry authorization: (in hive configuration)

STEP3: Assign Role to User Group

GRANT ROLE admin_role TO GROUP hive;

-- group can be new but need to add in sentry admin group if it is admin.