Configuring Authorization
Authorization is concerned with who or what has access or control over a given resource or service. Since Hadoop merges
together the capabilities of multiple varied, and previously separate IT systems as an enterprise data hub that stores and works on all data within an organization, it requires multiple authorization
controls with varying granularities. In such cases, Hadoop management tools simplify setup and maintenance by:
- Tying all users to groups, which can be specified in existing LDAP or AD directories.
- Providing role-based access control for similar interaction methods, like batch and interactive SQL queries. For example, Apache Sentry permissions apply to Hive (HiveServer2) and Impala.
CDH currently provides the following forms of access
control:
- Traditional POSIX-style permissions for directories and files, where each directory and file is assigned a single owner and group. Each assignment has a basic set of permissions available; file permissions are simply read, write, and execute, and directories have an additional permission to determine access to child directories.
- Extended Access Control Lists (ACLs) for HDFS that provide fine-grained control of permissions for HDFS files by allowing you to set different permissions for specific named users or named groups.
- Apache HBase uses ACLs to authorize various operations (READ, WRITE, CREATE, ADMIN) by column, column family, and column family qualifier. HBase ACLs are granted and revoked to both users and groups.
- Role-based access control with Apache
Sentry. As of Cloudera Manager 5.1.x, Sentry permissions can be configured using either policy files or the database-backed Sentry service.
- The Sentry service is the preferred way to set up Sentry permissions. See The Sentry Service for more information.
- For the policy file approach to configuring Sentry, see Sentry Policy File Authorization.
Continue reading:
- Cloudera Manager User Roles
- Cloudera Navigator Data Management Component User Roles
- HDFS Extended ACLs
- Configuring LDAP Group Mappings
- Authorization With Apache Sentry
- Architecture Overview
- Sentry Integration with the Hadoop Ecosystem
- The Sentry Service
- Prerequisites
- Terminologies
- Privilege Model
- User to Group Mapping
- Appendix: Authorization Privilege Model for Hive and Impala
- Installing and Upgrading the Sentry Service
- Migrating from Sentry Policy Files to the Sentry Service
- Configuring the Sentry Service
- Sentry Debugging and Failure Scenarios
- Hive SQL Syntax for Use with Sentry
- Column-level Authorization
- CREATE ROLE Statement
- DROP ROLE Statement
- GRANT ROLE Statement
- REVOKE ROLE Statement
- GRANT <Privilege> Statement
- GRANT <Privilege> ON URIs (HDFS and S3A)
- REVOKE <Privilege> Statement
- GRANT <Privilege> ... WITH GRANT OPTION
- SET ROLE Statement
- SHOW Statement
- Example: Using Grant/Revoke Statements to Match an Existing Policy File
- Synchronizing HDFS ACLs and Sentry Permissions
- Using the Sentry Web Server
- Sentry Policy File Authorization
- Prerequisites
- Terminologies
- Privilege Model
- User to Group Mapping
- Policy File
- Sample Sentry Configuration Files
- Accessing Sentry-Secured Data Outside Hive/Impala
- Debugging Failed Sentry Authorization Requests
- Authorization Privilege Model for Hive and Impala
- Installing and Upgrading Sentry for Policy File Authorization
- Configuring Sentry Policy File Authorization Using Cloudera Manager
- Configuring User to Group Mappings
- Enabling URIs for Per-DB Policy Files
- Using User-Defined Functions with HiveServer2
- Enabling Policy File Authorization for Hive
- Configuring Group Access to the Hive Metastore
- Enabling Policy File Authorization for Impala
- Enabling Sentry Authorization for Solr
- Configuring Sentry to Enable BDR Replication
- Configuring Sentry Policy File Authorization Using the Command Line
- Enabling Sentry Authorization for Impala
- The Sentry Privilege Model
- Starting the impalad Daemon with Sentry Authorization Enabled
- Using Impala with the Sentry Service (CDH 5.1 or higher only)
- Using Impala with the Sentry Policy File
- Setting Up Schema Objects for a Secure Impala Deployment
- Privilege Model and Object Hierarchy
- Debugging Failed Sentry Authorization Requests
- Managing Sentry for Impala through Cloudera Manager
- The DEFAULT Database in a Secure Deployment
- Enabling Sentry Authorization for Search using the Command Line
- Using Roles and Privileges with Sentry
- Using Users and Groups with Sentry
- Using Policy Files with Sentry
- Sample Sentry Configuration
- Enabling Sentry in Cloudera Search for CDH 5
- Providing Document-Level Security Using Sentry
- Enabling Secure Impersonation
- Debugging Failed Sentry Authorization Requests
- Appendix: Authorization Privilege Model for Search
- Configuring HBase Authorization