Managing the Sentry Service

• An object is an entity protected by Sentry's authorization rules. The objects supported in the current release are server, database, table, URI, collection, and config.
• A role is a collection of rules for accessing a given object.
• A privilege is granted to a role to govern access to an object. Sentry allows you to assign the SELECT privilege to columns (only for Hive and Impala). Supported privileges are:

  Valid privilege types and the objects they apply to

  Privilege	Object
  ALL	SERVER, TABLE, DB, URI
  CREATE	SERVER, DATABASE
  INSERT	SERVER, DB, TABLE
  REFRESH (Impala only)	SERVER, DATABASE, TABLE
  SELECT	SERVER, DB, TABLE, COLUMN

• A user is an entity that is permitted by the authentication subsystem to access the service. This entity can be a Kerberos principal, an LDAP userid, or an artifact of some other supported pluggable authentication system.
• A group connects the authentication system with the authorization system. It is a collection of one or more users who have been granted one or more authorization roles. Sentry allows a set of roles to be configured for a group.
• A configured group provider determines a user’s affiliation with a group. The current release supports HDFS-backed groups and locally configured groups.

For more information, see Authorization Privilege Model for Hive and Impala, Authorization Privilege Model for Solr, and Using Kafka with Sentry Authorization.

server=server1->db=sales->table=customer->action=Select

sales_read = server=server1->db=sales->table=customers->column=Id->action=select

sales_reporting =                                            \
server=server1->db=sales->table=customer->action=Select,     \
server=server1->db=sales->table=items->action=Select,         \
server=server1->db=reports->table=sales_insights->action=Insert

Grant permissions on URIs to create functions, alter the location of a table, explicitly set the location of a table, and to import and export from a table with that location. A user must have ALL permissions on the URI to perform the following actions:

For example, if you create the following table with an S3 location:

CREATE EXTERNAL TABLE mytesttable (firstname STRING, lastname STRING, address STRING, city STRING, state STRING) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',' LOCATION 's3a://mybucket/';

To insert data into the table, you must have ALL on the URI 's3a://mybucket' to execute the following command:

INSERT INTO TABLE mytesttable VALUES ('bilbo', 'baggends', 'bagend', 'hobbiton', 'shire');

The URI represents the HDFS path you specify as part of a GRANT statement. The URI in the statement can look like a UNIX path, but can also be prefixed with hdfs:// to clarify that it is a URI.

The following command is an example of a GRANT privilege on a URI:

GRANT ALL ON URI '/user/hive/warehouse/customers' TO ROLE t_rex

The only privilege you can grant on a URI is ALL. For details about the GRANT ALL ON URI statement, see GRANT <Privilege> ON URIs (HDFS and S3A).

URIs are not applied as HDFS ACLs. The How-To article and video, How to Verify that HDFS ACLs are Synching with Sentry, gives an example of a GRANT statement on a URI that does not affect an HDFS ACL change. For information on what does trigger an HDFS ACL change, see Prompting HDFS ACL Changes.

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Group mappings in Sentry can be summarized as in the figure below.

The Sentry service only uses HadoopUserGroup mappings. See Configuring LDAP Group Mappings for details on configuring LDAP group mappings in Hadoop.

Privileges can be granted on different objects in the Hive warehouse. Any privilege that can be granted is associated with a level in the object hierarchy. If a privilege is granted on a container object in the hierarchy, the base object automatically inherits it. For instance, if a user has ALL privileges on the database scope, then (s)he has ALL privileges on all of the base objects contained within that scope.

The tables below refer to the request handlers defined in the generated solrconfig.xml.secure. If you are not using this configuration file, the below may not apply.

admin is a special collection in Sentry used to represent administrative actions. A non-administrative request may only require privileges on the collection or config on which the request is being performed. This is called either collection1 or config1 in these tables. An administrative request may require privileges on both the admin collection and collection1. This is denoted as admin, collection1 in the tables below.