Configuring Sentry Policy File Authorization Using Cloudera Manager
This topic describes how to configure Sentry policy files and enable policy file authorization for CDH services using Cloudera Manager.
- Configuring User to Group Mappings
- Enabling URIs for Per-DB Policy Files
- Using User-Defined Functions with HiveServer2
- Enabling Policy File Authorization for Hive
- Configuring Group Access to the Hive Metastore
- Enabling Policy File Authorization for Impala
- Enabling Sentry Authorization for Solr
- Configuring Sentry to Enable BDR Replication
Configuring User to Group Mappings
Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)
Hadoop Groups
- Go to the Hive service.
- Click the Configuration tab.
- Under the Service-Wide category, go to the Sentry section.
- Set the Sentry User to Group Mapping Class property to org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider.
- Click Save Changes.
- Restart the Hive service.
Local Groups
- Define local groups in the [users] section of the Policy File. For example:
[users] user1 = group1, group2, group3 user2 = group2, group3
- Modify Sentry configuration as follows:
- Go to the Hive service.
- Click the Configuration tab.
- Under the Service-Wide category, go to the Sentry section.
- Set the Sentry User to Group Mapping Class property to org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider.
- Click Save Changes.
- Restart the Hive service.
Enabling URIs for Per-DB Policy Files
The ADD JAR command does not work with HiveServer2 & the Beeline client when Beeline runs on a different host. As an alternative to
ADD JAR, Hive's auxiliary paths functionality should be used as described in the following steps.
Add the following string to the Java configuration options for HiveServer2 during startup.
-Dsentry.allow.uri.db.policyfile=true
Using User-Defined Functions with HiveServer2
The ADD JAR command does not work with HiveServer2 and the Beeline client when Beeline runs on a different host. As an alternative
to ADD JAR, Hive's auxiliary paths functionality should be used as described in the following steps.
- Copy the UDF JAR file to HDFS.
- Copy the JAR file to the host on which HiveServer2 is running. Save the JARs to any directory you choose, and make a note of the path.
- In the Cloudera Manager Admin Console, go to the Hive service.
- Click the Configuration tab.
- Expand the categories
- Configure the Hive Auxiliary JARs Directory property with the HiveServer2 host path from the Step 2.
- Click Save Changes. The JARs are added to HIVE_AUX_JARS_PATH environment variable.
- Redeploy the Hive client configuration.
- In the Cloudera Manager Admin Console, go to the Hive service.
- From the Actions menu at the top right of the service page, select Deploy Client Configuration.
- Click Deploy Client Configuration.
- Restart the Hive service. If the Hive Auxiliary JARs Directory property is configured but the directory does not exist, HiveServer2 will not start.
- Grant privileges on the JAR files to the roles that require access. You can use the Hive SQL GRANT statement to do so. For example, to grant privileges on the add.jar file:
GRANT ALL ON URI 'hdfs:///tmp/add.jar' TO ROLE EXAMPLE_ROLE
- Run the CREATE FUNCTION command and point to the JAR from Hive. For example:
CREATE FUNCTION addfunc AS 'com.example.hiveserver2.udf.add' USING JAR 'hdfs:///tmp/add.jar'
Enabling Policy File Authorization for Hive
Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)
- Ensure the Prerequisites have been satisfied.
- The Hive warehouse directory (/user/hive/warehouse or any path you specify as hive.metastore.warehouse.dir in your
hive-site.xml) must be owned by the Hive user and group.
- Permissions on the warehouse directory must be set as follows (see following Note for caveats):
- 771 on the directory itself (for example, /user/hive/warehouse)
- 771 on all subdirectories (for example, /user/hive/warehouse/mysubdir)
- All files and subdirectories should be owned by hive:hive
For example:$ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse $ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
- Permissions on the warehouse directory must be set as follows (see following Note for caveats):
- Disable impersonation for HiveServer2:
- Go to the Hive service.
- Click the Configuration tab.
- Under the HiveServer2 role group, uncheck the HiveServer2 Enable Impersonation property, and click Save Changes.
- Create the Sentry policy file, sentry-provider.ini , as an HDFS file.
- Enable the Hive user to submit MapReduce jobs.
- Go to the MapReduce service.
- Click the Configuration tab.
- Under a TaskTracker role group go to the Security category.
- Set the Minimum User ID for Job Submission property to zero (the default is 1000) and click Save Changes.
- Repeat steps 5.a-5.d for every TaskTracker role group for the MapReduce service that is associated with Hive, if more than one exists.
- Restart the MapReduce service.
- Enable the Hive user to submit YARN jobs.
- Go to the YARN service.
- Click the Configuration tab.
- Under a NodeManager role group go to the Security category.
- Ensure the Allowed System Users property includes the hive user. If not, add hive and click Save Changes.
- Repeat steps 6.a-6.d for every NodeManager role group for the YARN service that is associated with Hive, if more than one exists.
- Restart the YARN service.
- Go to the Hive service.
- Click the Configuration tab.
- Under the Service-Wide category, go to the Policy File Based Sentry section.
- Check Enable Sentry Authorization Using Policy Files, then click Save Changes.
- You must restart the cluster and HiveServer2 after changing these values, whether you use Cloudera Manager or not.
Configuring Group Access to the Hive Metastore
Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)
You can configure the Hive Metastore to reject connections from users not listed in the Hive group proxy list (in HDFS). If you do not configure this override, the Hive Metastore will
use the value in the core-site HDFS configuration. To configure the Hive group proxy list:
- Go to the Hive service.
- Click the Configuration tab.
- Click the Proxy category.
- In the Hive Metastore Access Control and Proxy User Groups Override property, specify a list of groups whose users are allowed to access the Hive Metastore. If you do not specify "*" (wildcard), you will be warned if the groups do not include hive and impala (if the Impala service is configured) in the list of groups.
- Click Save Changes.
- Restart the Hive service.
Enabling Policy File Authorization for Impala
For a cluster managed by Cloudera Manager, perform the following steps to enable policy file authorization for Impala.
- Enable Sentry's policy file based authorization for Hive. For details, see Enabling Policy File Authorization for Hive.
- Go to the Cloudera Manager Admin Console and navigate to the Impala service.
- Click the Configuration tab.
- Under the Service-Wide category, go to the Policy File Based Sentry section.
- Check Enable Sentry Authorization Using Policy Files, then click Save Changes.
- Restart the Impala service.
Enabling Sentry Authorization for Solr
Minimum Required Role: Full Administrator
- Ensure the following requirements are satisfied:
- Cloudera Search 1.1.1 or higher or CDH 5 or higher.
- A secure Hadoop cluster.
- Create the policy file sentry-provider.ini as an HDFS file. When you create the policy file sentry-provider.ini follow
the instructions in the Policy File section in Configuring Sentry for Search (CDH 4) orSearch Authentication. The file must be owned by owned by the solr user in the solr group, with perms=600. By default Cloudera Manager assumes the policy file is in the HDFS location /user/solr/sentry. To configure the location:
- Go to the Solr service.
- Click the Configuration tab.
- Under the Service-Wide category, select Sentry and modify the path in the Sentry Global Policy File property.
- Click Save Changes.
- Under the Service-Wide category, go to the Policy File Based Sentry section.
- Check Enable Sentry Authorization Using Policy Files, then click Save Changes.
- Restart the Solr service.
For more details, see Enabling Sentry Authorization for Search.
Configuring Sentry to Enable BDR Replication
Cloudera recommends the following steps when configuring Sentry and data replication is enabled.
- Group membership should be managed outside of Sentry (as typically OS groups, LDAP groups, and so on are managed) and replication for them also should be handled outside of Cloudera Manager.
- In Cloudera Manager, set up HDFS replication for the Sentry files of the databases that are being replicated (separately using Hive replication).
- On the source cluster:
- Use a separate Sentry policy file for every database
- Avoid placing any group or role info (except for server admin info) in the global Sentry policy file (to avoid manual replication/merging with the global file on the target cluster)
- To avoid manual fix up of URI privileges, ensure that the URIs for the data are the same on both the source and target cluster
- On the target cluster:
- In the global Sentry policy file, manually add the DB name - DB file mapping entries for the databases being replicated
- Manually copy the server admin info from the global Sentry policy file on the source to the policy on the target cluster
- For the databases being replicated, avoid adding more privileges (adding tables specific to target cluster may sometimes require adding extra privileges to allow access to those tables). If any target cluster specific privileges absolutely need to be added for a database, add them to the global Sentry policy file on the target cluster since the per database files would be overwritten periodically with source versions during scheduled replication.