Configuring Sentry Policy File Authorization Using the Command Line
This topic describes how to configure Sentry policy files and enable policy file authorization for unmanaged CDH services using the command line.
Configuring User to Group Mappings
Hadoop Groups
<property> <name>hive.sentry.provider</name> <value>org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider</value> </property>
Local Groups
- Define local groups in the [users] section of the Policy File. For example:
[users] user1 = group1, group2, group3 user2 = group2, group3
- Modify Sentry configuration as follows:
In sentry-site.xml, set hive.sentry.provider as follows:
<property> <name>hive.sentry.provider</name> <value>org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider</value> </property>
Enabling URIs for Per-DB Policy Files
-Dsentry.allow.uri.db.policyfile=true
Using User-Defined Functions with HiveServer2
The ADD JAR command does not work with HiveServer2 and the Beeline client when Beeline runs on a different host. As an alternative to ADD JAR, Hive's auxiliary paths functionality should be used as described in the following steps. There are some differences in the procedures for creating permanent functions and temporary functions. For detailed instructions, see Creating Temporary Functions.
Enabling Policy File Authorization for Hive
Prerequisites
- See Before You Install Sentry to verify the prerequisites for Sentry.
-
Setting Hive Warehouse Directory Permissions
- Using the default Hive warehouse directory - Permissions on the warehouse directory must be set as follows (see following Note for caveats):
- 771 on the directory itself (by default, /user/hive/warehouse)
- 771 on all subdirectories (for example, /user/hive/warehouse/mysubdir)
- All files and subdirectories should be owned by hive:hive
For example:If you have enabled Kerberos on your cluster, you must kinit as the hdfs user before you set permissions. For example:$ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse $ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
sudo -u hdfs kinit -kt <hdfs.keytab> hdfs sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse $ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
- Using a non-default Hive warehouse: If you would like to use a different directory as the Hive warehouse, update the hive.metastore.warehouse.dir property, and make sure you set the required permissions on the new directory. For example, if the new warehouse directory is /data, set the permissions as follows:
$ hdfs dfs -chown hive:hive /data $ hdfs dfs -chmod 771 /data
Note that when you update the default Hive warehouse, previously created tables will not be moved over automatically. Therefore, tables created before the update will remain at /user/hive/warehouse/<old_table>. However, after the update, any new tables created in the default location will be found at /data/<new_table>.
For Sentry/HDFS sync to work as expected, add the new warehouse URL to the list of Sentry Synchronization Path Prefixes.
- Using the default Hive warehouse directory - Permissions on the warehouse directory must be set as follows (see following Note for caveats):
- HiveServer2 impersonation must be turned off.
- The Hive user must be able to submit MapReduce jobs. You can ensure that this is true by setting the minimum user ID for job submission to 0. Edit the taskcontroller.cfg file and set min.user.id=0.
To enable the Hive user to submit YARN jobs, add the user hive to the allowed.system.users configuration property. Edit the container-executor.cfg file and add hive to the allowed.system.users property. For example,
allowed.system.users = nobody,impala,hive,hbase
- Add the Hive, Impala, and Hue groups to Sentry's admin groups. If an end user is in one of these admin groups, that user has administrative privileges on the Sentry Server.
<property> <name>sentry.service.admin.group</name> <value>hive,impala,hue</value> </property>
Configuration Changes Required
<property> <name>hive.server2.session.hook</name> <value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value> </property> <property> <name>hive.sentry.conf.url</name> <value></value> <description>sentry-site.xml file location</description> </property> <property> <name>hive.metastore.client.impl</name> <value>org.apache.sentry.binding.metastore.SentryHiveMetaStoreClient</value> <description>Sets custom Hive Metastore client which Sentry uses to filter out metadata.</description> </property>
Securing the Hive Metastore
<property> <name>sentry.hive.testing.mode</name> <value>true</value> </property>Impala does not require this flag to be set.
You can turn on Hive metastore security using the instructions in Cloudera Security. To secure the Hive metastore; see Hive Metastore Server Security Configuration.
Enabling Policy File Authorization for Impala
First, enable Sentry's policy file based authorization for Hive. For details, see Enabling Policy File Authorization for Hive.
See Enabling Sentry Authorization for Impala for details on configuring Impala to work with Sentry policy files.
Enabling Sentry in Cloudera Search
See Enabling Solr as a Client for the Sentry Service Using the Command Line for details on enabling Sentry for Solr.
See Using Solr with the Sentry Service for details on securing Solr data.