Configuring Sentry Policy File Authorization Using the Command Line
This topic describes how to configure Sentry policy files and enable policy file authorization for unmanaged CDH services using the command line.
Configuring User to Group Mappings
Hadoop Groups
Set the hive.sentry.provider property in sentry-site.xml.
<property> <name>hive.sentry.provider</name> <value>org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider</value> </property>
Local Groups
- Define local groups in the [users] section of the Policy File. For example:
[users] user1 = group1, group2, group3 user2 = group2, group3
- Modify Sentry configuration as follows:
In sentry-site.xml, set hive.sentry.provider as follows:
<property> <name>hive.sentry.provider</name> <value>org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider</value> </property>
Enabling URIs for Per-DB Policy Files
The ADD JAR command does not work with HiveServer2 & the Beeline client when Beeline runs on a
different host. As an alternative to ADD JAR, Hive's auxiliary paths functionality should be used as described in the following steps.
Add the following string to the Java configuration options for HiveServer2 during startup.
-Dsentry.allow.uri.db.policyfile=true
Using User-Defined Functions with HiveServer2
The ADD JAR command does not work with HiveServer2 & the Beeline client when Beeline runs on a different host. As an alternative to ADD JAR, Hive's auxiliary paths functionality should be used as described in the following steps.
- On the Beeline client machine, in /etc/hive/conf/hive-site.xml, set the hive.aux.jars.path property to a comma-separated
list of the fully-qualified paths to the JAR file and any dependent libraries.
hive.aux.jars.path=file:/opt/local/hive/lib/my.jar
- Copy the JAR file (and its dependent libraries) to the host running HiveServer2/Impala.
- On the HiveServer2/Impala host, open /etc/default/hive-server2 and set the AUX_CLASSPATH variable to a comma-separated
list of the fully-qualified paths to the JAR file and any dependent libraries.
AUX_CLASSPATH=/opt/local/hive/lib/my.jar
- To access the UDF, you must have URI privilege to the jar where the UDF resides. This privilege prevents users from creating functions such as the reflect function which is disallowed
because it allows users to execute arbitrary Java code.
udf_r = server=server1->uri=file:///opt/local/hive/lib
- Restart HiveServer2.
You should now be able to use the UDF:
CREATE TEMPORARY FUNCTION my_udf AS 'MyUDF';
Enabling Policy File Authorization for Hive
Prerequisites
In addition to the Prerequisites above, make sure that the following are true:- The Hive warehouse directory (/user/hive/warehouse or any path you specify as hive.metastore.warehouse.dir in your hive-site.xml) must be owned by the Hive user and group.
- Permissions on the warehouse directory must be set as follows (see following Note for caveats):
- 771 on the directory itself (for example, /user/hive/warehouse)
- 771 on all subdirectories (for example, /user/hive/warehouse/mysubdir)
- All files and subdirectories should be owned by hive:hive
For example:$ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse $ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
- Permissions on the warehouse directory must be set as follows (see following Note for caveats):
- HiveServer2 impersonation must be turned off.
- The Hive user must be able to submit MapReduce jobs. You can ensure that this is true by setting the minimum user ID for job submission to 0. Edit the taskcontroller.cfg file and set min.user.id=0.
To enable the Hive user to submit YARN jobs, add the user hive to the allowed.system.users configuration property. Edit the container-executor.cfg file and add hive to the allowed.system.users property. For example,
allowed.system.users = nobody,impala,hive
Configuration Changes Required
To enable Sentry, add the following properties to hive-site.xml:
<property> <name>hive.server2.session.hook</name> <value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value> </property> <property> <name>hive.sentry.conf.url</name> <value></value> <description>sentry-site.xml file location</description> </property> <property> <name>hive.metastore.client.impl</name> <value>org.apache.sentry.binding.metastore.SentryHiveMetaStoreClient</value> <description>Sets custom Hive Metastore client which Sentry uses to filter out metadata.</description> </property>
Securing the Hive Metastore
It's important that the Hive metastore be secured. If you want to override the Kerberos prerequisite for the Hive metastore, set the sentry.hive.testing.mode property to true to allow Sentry to work with weaker authentication mechanisms. Add the following property to the
HiveServer2 and Hive metastore's sentry-site.xml:
<property> <name>sentry.hive.testing.mode</name> <value>true</value> </property>Impala does not require this flag to be set.
You canturn on Hive metastore security using the instructions in Cloudera Security:
- To secure the Hive metastore; see Hive Metastore Server Security Configuration.
- In addition, allow access to the metastore only from the HiveServer2server (see "Securing the Hive Metastore" under HiveServer2 Security Configuration) and then disable local access to the HiveServer2 server.
Enabling Policy File Authorization for Impala
First, enable Sentry's policy file based authorization for Hive. For details, see Enabling Policy File Authorization for Hive.
See Enabling Sentry Authorization for Impala for details on configuring Impala to work with Sentry policy files.
Enabling Sentry in Cloudera Search
See Enabling Sentry in Cloudera Search for CDH 5 for details on securing Cloudera Search with Sentry.