Reply
All
Explorer
Posts: 15
Registered: ‎08-21-2015

Can we configure sentry without LDAP/kerberoes

Hi All

 

CDH 5.4.1

 

We have to configure Sentry in our enviroment.We have to test only one thing..

If we logged on with hive user and grant permission of only one table to an LINUX user and then if we logged in with that linux user in beeline client so that table should be show in SHOW TABLES;

 

To check above thing, do we need to configure LDAP/Kerberoes for any of service LDAP/Hive ?

 

I have not enable any authentication for above two service but still i can grant permission of table to linux user but that user is still not able to show that table ..

To check above thing, do we need to configure LDAP/Kerberoes for any of service LDAP/Hive ?

 

Permission have been granted correctily i have make sure this by SHOW GRANT ROLE;

Posts: 1,567
Kudos: 289
Solutions: 240
Registered: ‎07-31-2013

Re: Can we configure sentry without LDAP/kerberoes

Generally speaking, authorisation without authentication in CDH is pointless, as there are numerously easy ways in un-secure environments to impersonate any other user (including the hdfs admin).

However, this is still "possible", but you need to get your group setup right. HS2 and Sentry, by default, rely on local group lookups (local to the host their services run on), so ensuring via the "id" command that the group lookups are coming up OK on those hosts should be sufficient in validating that they will observe and follow the same.
Backline Customer Operations Engineer
Highlighted
Contributor
Posts: 44
Registered: ‎09-14-2017

Re: Can we configure sentry without LDAP/kerberoes

Hi, can we configure Sentry with just openLDAP or Active Directory as authentication mechanism without using Kerberos? Kerberos can be bit tricky to setup and maintain and anyway its slowly getting replaced by other things like OAUTH, SAML etc. Thanks.

Announcements