Configuring Sentry Policy File Authorization Using the Command Line

This topic describes how to configure Sentry policy files and enable policy file authorization for unmanaged CDH services using the command line.

Configuring User to Group Mappings
- Hadoop Groups
- Local Groups
Enabling URIs for Per-DB Policy Files
Using User-Defined Functions with HiveServer2
Enabling Policy File Authorization for Hive
- Prerequisites
- Configuration Changes Required
Securing the Hive Metastore
Enabling Policy File Authorization for Impala
Enabling Sentry in Cloudera Search

Configuring User to Group Mappings

Hadoop Groups

Set the hive.sentry.provider property in sentry-site.xml.

<property>
<name>hive.sentry.provider</name>
<value>org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider</value>
</property>

Local Groups

Define local groups in the [users] section of the Policy File. For example:
```
[users]
user1 = group1, group2, group3
user2 = group2, group3
```

Modify Sentry configuration as follows:

In sentry-site.xml, set hive.sentry.provider as follows:

<property>
<name>hive.sentry.provider</name>
<value>org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider</value>
</property>

Enabling URIs for Per-DB Policy Files

The ADD JAR command does not work with HiveServer2 and the Beeline client when Beeline runs on a different host. As an alternative to ADD JAR, Hive's auxiliary paths functionality should be used as described in the following steps. Add the following string to the Java configuration options for HiveServer2 during startup.

-Dsentry.allow.uri.db.policyfile=true

Using User-Defined Functions with HiveServer2

The ADD JAR command does not work with HiveServer2 and the Beeline client when Beeline runs on a different host. As an alternative to ADD JAR, Hive's auxiliary paths functionality should be used as described in the following steps. There are some differences in the procedures for creating permanent functions and temporary functions. For detailed instructions, see User-Defined Functions (UDFs) with HiveServer2 Using the Command Line.

Enabling Policy File Authorization for Hive

Prerequisites

In addition to the Prerequisites above, make sure that the following are true:

Important: If you are going to enable HDFS/Sentry synchronization, you do not need to perform the following step to explicitly set permissions for the Hive warehouse directory. With synchronization enabled, all Hive databases and tables will automatically be owned by hive:hive, and Sentry permissions on tables are translated to HDFS ACLs for the underlying table files.

The Hive warehouse directory (/user/hive/warehouse or any path you specify as hive.metastore.warehouse.dir in your hive-site.xml) must be owned by the Hive user and group.
- Using the default Hive warehouse directory - Permissions on the warehouse directory must be set as follows (see following Note for caveats):
  - 771 on the directory itself (by default, /user/hive/warehouse)
  - 771 on all subdirectories (for example, /user/hive/warehouse/mysubdir)
  - All files and subdirectories should be owned by hive:hive
  For example:
```
$ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse
$ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
```
  If you have enabled Kerberos on your cluster, you must kinit as the hdfs user before you set permissions. For example:
```
sudo -u hdfs kinit -kt <hdfs.keytab> hdfs
sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse
$ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
```
- Using a non-default Hive warehouse: If you would like to use a different directory as the Hive warehouse, update the hive.metastore.warehouse.dir property, and make sure you set the required permissions on the new directory. For example, if the new warehouse directory is /data, set the permissions as follows:
```
$ hdfs dfs -chown hive:hive /data
$ hdfs dfs -chmod 771 /data
```
  Note that when you update the default Hive warehouse, previously created tables will not be moved over automatically. Therefore, tables created before the update will remain at /user/hive/warehouse/<old_table>. However, after the update, any new tables created in the default location will be found at /data/<new_table>.
  
  For Sentry/HDFS sync to work as expected, add the new warehouse URL to the list of Sentry Synchronization Path Prefixes.
Note:
- If you set hive.warehouse.subdir.inherit.perms to true in hive-site.xml, the permissions on the subdirectories will be set when you set permissions on the warehouse directory.
- If a user has access to any object in the warehouse, that user will be able to execute use default. This ensures that use default commands issued by legacy applications work when Sentry is enabled.
- The instructions described above for modifying permissions on the Hive warehouse directory override the recommendations in the Hive section of the CDH 5 Installation Guide.
HiveServer2 impersonation must be turned off.
The Hive user must be able to submit MapReduce jobs. You can ensure that this is true by setting the minimum user ID for job submission to 0. Edit the taskcontroller.cfg file and set min.user.id=0.
To enable the Hive user to submit YARN jobs, add the user hive to the allowed.system.users configuration property. Edit the container-executor.cfg file and add hive to the allowed.system.users property. For example,
```
allowed.system.users = nobody,impala,hive,hbase
```
Important:
- You must restart the cluster and HiveServer2 after changing this value, whether you use Cloudera Manager or not.
- These instructions override the instructions under Configuring MRv1 Security
- These instructions override the instructions under Configuring YARN Security
Add the Hive, Impala, and Hue groups to Sentry's admin groups. If an end user is in one of these admin groups, that user has administrative privileges on the Sentry Server.
```
<property>
  <name>sentry.service.admin.group</name>
  <value>hive,impala,hue</value>
 </property>
```

Configuration Changes Required

To enable Sentry, add the following properties to hive-site.xml:

<property>
<name>hive.server2.session.hook</name>
<value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value>
</property>

<property>
<name>hive.sentry.conf.url</name>
<value></value>
<description>sentry-site.xml file location</description>
</property>

<property>
<name>hive.metastore.client.impl</name>
<value>org.apache.sentry.binding.metastore.SentryHiveMetaStoreClient</value>
<description>Sets custom Hive Metastore client which Sentry uses to filter out metadata.</description>
</property>

Securing the Hive Metastore

It's important that the Hive metastore be secured. If you want to override the Kerberos prerequisite for the Hive metastore, set the sentry.hive.testing.mode property to true to allow Sentry to work with weaker authentication mechanisms. Add the following property to the HiveServer2 and Hive metastore's sentry-site.xml:

<property>
  <name>sentry.hive.testing.mode</name>
  <value>true</value>
</property>

Impala does not require this flag to be set.

You can turn on Hive metastore security using the instructions in Cloudera Security. To secure the Hive metastore; see Hive Metastore Server Security Configuration.

Enabling Policy File Authorization for Impala

First, enable Sentry's policy file based authorization for Hive. For details, see Enabling Policy File Authorization for Hive.

See Enabling Sentry Authorization for Impala for details on configuring Impala to work with Sentry policy files.

Enabling Sentry in Cloudera Search

See Enabling Solr as a Client for the Sentry Service Using the Command Line for details on enabling Sentry for Solr.

See Using Solr with the Sentry Service for details on securing Solr data.

Configuring Sentry Policy File Authorization Using Cloudera Manager

Enabling Sentry Authorization for Impala