Authorization
Authorization is concerned with who or what has access or control over a given resource or service. Since Hadoop merges
together the capabilities of multiple varied, and previously separate IT systems as an enterprise data hub that stores and works on all data within an organization, it requires multiple authorization
controls with varying granularities. In such cases, Hadoop management tools simplify setup and maintenance by:
- Tying all users to groups, which can be specified in existing LDAP or AD directories.
- Providing role-based access control for similar interaction methods, like batch and interactive SQL queries. For example, Apache Sentry permissions apply to Hive (HiveServer2) and Impala.
CDH currently provides the following forms of access
control:
- Traditional POSIX-style permissions for directories and files, where each directory and file is assigned a single owner and group. Each assignment has a basic set of permissions available; file permissions are simply read, write, and execute, and directories have an additional permission to determine access to child directories.
- Extended Access Control Lists (ACLs) for HDFS that provide fine-grained control of permissions for HDFS files by allowing you to set different permissions for specific named users or named groups.
- Apache HBase uses ACLs to authorize various operations (READ, WRITE, CREATE, ADMIN) by column, column family, and column family qualifier. HBase ACLs are granted and revoked to both users and groups.
- Role-based access control with Apache Sentry.As of Cloudera Manager 5.1.x, Sentry permissions can be
configured using either policy files or the database-backed Sentry service.
- The Sentry service is the preferred way to set up Sentry permissions. See The Sentry Service for more information.
- For the policy file approach to configuring Sentry, see Sentry Policy File Authorization.
Continue reading:
- Cloudera Manager User Roles
- Cloudera Navigator User Roles
- Enabling HDFS Extended ACLs
- The Sentry Service
- Prerequisites
- Terminologies
- Privilege Model
- User to Group Mapping
- Appendix: Authorization Privilege Model for Hive and Impala
- Installing and Upgrading the Sentry Service
- Migrating from Sentry Policy Files to the Sentry Service
- Configuring the Sentry Service
- Sentry Debugging and Failure Scenarios
- Hive SQL Syntax for Use with Sentry
- Synchronizing HDFS ACLs and Sentry Permissions
- Reporting Metrics for the Sentry Service
- Sentry Policy File Authorization
- Prerequisites
- Terminologies
- Privilege Model
- User to Group Mapping
- Policy File
- Sample Sentry Configuration Files
- Accessing Sentry-Secured Data Outside Hive/Impala
- Debugging Failed Sentry Authorization Requests
- Authorization Privilege Model for Hive and Impala
- Installing and Upgrading Sentry for Policy File Authorization
- Configuring Sentry Policy File Authorization Using Cloudera Manager
- Configuring User to Group Mappings
- Enabling URIs for Per-DB Policy Files
- Using User-Defined Functions with HiveServer2
- Enabling Policy File Authorization for Hive
- Configuring Group Access to the Hive Metastore
- Enabling Policy File Authorization for Impala
- Enabling Sentry Authorization for Solr
- Configuring Sentry to Enable BDR Replication
- Configuring Sentry Policy File Authorization Using the Command Line
- Enabling Sentry Authorization for Impala
- The Sentry Privilege Model
- Starting the impalad Daemon with Sentry Authorization Enabled
- Using Impala with the Sentry Service (CDH 5.1 or higher only)
- Using Impala with the Sentry Policy File
- Policy File Location and Format
- Examples of Policy File Rules for Security Scenarios
- A User with No Privileges
- Examples of Privileges for Administrative Users
- A User with Privileges for Specific Databases and Tables
- Privileges for Working with External Data Files
- Controlling Access at the Column Level through Views
- Separating Administrator Responsibility from Read and Write Privileges
- Using Multiple Policy Files for Different Databases
- Setting Up Schema Objects for a Secure Impala Deployment
- Privilege Model and Object Hierarchy
- Debugging Failed Sentry Authorization Requests
- Managing Sentry for Impala through Cloudera Manager
- The DEFAULT Database in a Secure Deployment
- Enabling Sentry Authorization for Search
- Roles and Collection-Level Privileges
- Users and Groups
- Setup and Configuration
- Policy File
- Sample Configuration
- Enabling Sentry in Cloudera Search for CDH 5
- Providing Document-Level Security Using Sentry
- Enabling Secure Impersonation
- Debugging Failed Sentry Authorization Requests
- Appendix: Authorization Privilege Model for Search
- Configuring HBase Authorization