Configuring Sentry Policy File Authorization Using Cloudera Manager
This topic describes how to configure Sentry policy files and enable policy file authorization for CDH services using Cloudera Manager.
- Configuring User to Group Mappings
- Enabling URIs for Per-DB Policy Files
- Using User-Defined Functions with HiveServer2
- Enabling Policy File Authorization for Hive
- Configuring Group Access to the Hive Metastore
- Enabling Policy File Authorization for Impala
- Enabling Sentry Policy File Authorization for Solr
- Configuring Sentry to Enable BDR Replication
Configuring User to Group Mappings
Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)
Hadoop Groups
- Go to the Hive service.
- Click the Configuration tab.
- Select .
- Select .
- Locate the Sentry User to Group Mapping Class property or search for it by typing its name in the Search box.
- Set the Sentry User to Group Mapping Class property to org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider.
- Click Save Changes.
- Restart the Hive service.
Local Groups
- Define local groups in the [users] section of the Policy File. For example:
[users] user1 = group1, group2, group3 user2 = group2, group3
- Modify Sentry configuration as follows:
- Go to the Hive service.
- Click the Configuration tab.
- Select .
- Select .
- Locate the Sentry User to Group Mapping Class property or search for it by typing its name in the Search box.
- Set the Sentry User to Group Mapping Class property to org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider.
- Click Save Changes.
- Restart the Hive service.
Enabling URIs for Per-DB Policy Files
-Dsentry.allow.uri.db.policyfile=true
Using User-Defined Functions with HiveServer2
Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)
The ADD JAR command does not work with HiveServer2 and the Beeline client when Beeline runs on a different host. As an alternative to ADD JAR, Hive's auxiliary paths functionality should be used. There are some differences in the procedures for creating permanent functions and temporary functions. For detailed instructions, see Registering a UDF in Hive.
Enabling Policy File Authorization for Hive
Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)
- See Before You Install Sentry to verify the prerequisites.
-
Setting Hive Warehouse Directory Permissions
- Using the default Hive warehouse directory - Permissions on the warehouse directory must be set as follows (see following Note for caveats):
- 771 on the directory itself (by default, /user/hive/warehouse)
- 771 on all subdirectories (for example, /user/hive/warehouse/mysubdir)
- All files and subdirectories should be owned by hive:hive
For example:If you have enabled Kerberos on your cluster, you must kinit as the hdfs user before you set permissions. For example:$ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse $ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
sudo -u hdfs kinit -kt <hdfs.keytab> hdfs sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse $ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
- Using a non-default Hive warehouse: If you would like to use a different directory as the Hive warehouse, update the hive.metastore.warehouse.dir property, and make sure you set the required permissions on the new directory. For example, if the new warehouse directory is /data, set the permissions as follows:
$ hdfs dfs -chown hive:hive /data $ hdfs dfs -chmod 771 /data
Note that when you update the default Hive warehouse, previously created tables will not be moved over automatically. Therefore, tables created before the update will remain at /user/hive/warehouse/<old_table>. However, after the update, any new tables created in the default location will be found at /data/<new_table>.
For Sentry/HDFS sync to work as expected, add the new warehouse URL to the list of Sentry Synchronization Path Prefixes.
- Using the default Hive warehouse directory - Permissions on the warehouse directory must be set as follows (see following Note for caveats):
- Disable impersonation for HiveServer2:
- Go to the Hive service.
- Click the Configuration tab.
- Select .
- Select .
- Locate the HiveServer2 Enable Impersonation property or search for it by typing its name in the Search box.
- Under the HiveServer2 role group, clear the HiveServer2 Enable Impersonation property.
- Click Save Changes to commit the changes.
- Create the Sentry policy file, sentry-provider.ini, as an HDFS file.
- Enable the Hive user to submit MapReduce jobs.
- Go to the MapReduce service.
- Click the Configuration tab.
- Select .
- Select .
- Locate the Minimum User ID for Job Submission property or search for it by typing its name in the Search box.
- Set the Minimum User ID for Job Submission property to 0 (the default is 1000).
- Click Save Changes to commit the changes.
- Repeat steps 5.a-5.d for every TaskTracker role group for the MapReduce service that is associated with Hive, if more than one exists.
- Restart the MapReduce service.
- Enable the Hive user to submit YARN jobs.
- Go to the YARN service.
- Click the Configuration tab.
- Select .
- Select .
- Ensure the Allowed System Users property includes the hive user. If not, add hive.
- Click Save Changes to commit the changes.
- Repeat steps 6.a-6.d for every NodeManager role group for the YARN service that is associated with Hive, if more than one exists.
- Restart the YARN service.
- Go to the Hive service.
- Click the Configuration tab.
- Select .
- Select .
- Select Enable Sentry Authorization Using Policy Files.
- Click Save Changes to commit the changes.
- Add the Hive user group to Sentry's admin groups.
- Go to the Sentry service.
- Click the Configuration tab.
- Select .
- Select .
- Locate the Admin Groups property and add the hive group to the list. If an end user is in one of these admin groups, that user has administrative privileges on the Sentry Server.
- Click Save Changes to commit the changes.
- Restart the cluster and HiveServer2 after changing these values, whether you use Cloudera Manager or not.
Configuring Group Access to the Hive Metastore
Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)
- Go to the Hive service.
- Click the Configuration tab.
- Select .
- Select .
- In the Hive Metastore Access Control and Proxy User Groups Override property, specify a list of groups whose users are allowed to access the Hive Metastore. If you do not specify "*" (wildcard), you will be warned if the groups do not include hive and impala (if the Impala service is configured) in the list of groups.
- Click Save Changes.
- Restart the Hive service.
Enabling Policy File Authorization for Impala
- Enable Sentry's policy file based authorization for Hive. For details, see Enabling Policy File Authorization for Hive.
- Go to the Cloudera Manager Admin Console and go to the Impala service.
- Click the Configuration tab.
- Select .
- Select .
- Select Enable Sentry Authorization Using Policy Files.
- Click Save Changes to commit the changes.
- Restart the Impala service.
- Add the Impala user group to Sentry's admin groups.
- Go to the Sentry service.
- Click the Configuration tab.
- Select .
- Select .
- Locate the Admin Groups property and add the impala group to the list. If an end user is in one of these admin groups, that user has administrative privileges on the Sentry Server.
- Click Save Changes to commit the changes.
Enabling Sentry Policy File Authorization for Solr
Minimum Required Role: Full Administrator
- Ensure the following requirements are satisfied:
- Cloudera Search 1.1.1 or higher or CDH 5 or higher.
- A secure Hadoop cluster.
- Create the policy file sentry-provider.ini as an HDFS file. When you create the policy file sentry-provider.ini follow
the instructions in the Policy File section in Solr Authentication. The file must be owned by owned by the solr
user in the solr group, with perms=600. By default Cloudera Manager assumes the policy file is in the HDFS location /user/solr/sentry.
To configure the location:
- Go to the Solr service.
- Click the Configuration tab.
- Select .
- Select .
- Locate the Sentry Global Policy File property.
- Modify the path in the Sentry Global Policy File property.
- Select Enable Sentry Authorization.
- Click Save Changes.
- Restart the Solr service.
For more details, see Configuring Sentry Authorization for Cloudera Search.
Configuring Sentry to Enable BDR Replication
Cloudera recommends the following steps when configuring Sentry and data replication is enabled.
- Group membership should be managed outside of Sentry (as OS and LDAP groups are typically managed) and replication for them also should be handled outside of Cloudera Manager.
- In Cloudera Manager, set up HDFS replication for the Sentry files of the databases that are being replicated (separately using Hive/Impala replication).
- On the source cluster:
- Use a separate Sentry policy file for every database
- Avoid placing any group or role info (except for server admin info) in the global Sentry policy file (to avoid manual replication/merging with the global file on the target cluster)
- To avoid manual fix up of URI privileges, ensure that the URIs for the data are the same on both the source and target cluster
- On the target cluster:
- In the global Sentry policy file, manually add the DB name - DB file mapping entries for the databases being replicated
- Manually copy the server admin info from the global Sentry policy file on the source to the policy on the target cluster
- For the databases being replicated, avoid adding more privileges (adding tables specific to target cluster may sometimes require adding extra privileges to allow access to those tables). If any target cluster specific privileges absolutely need to be added for a database, add them to the global Sentry policy file on the target cluster since the per database files would be overwritten periodically with source versions during scheduled replication.