Reply
New Contributor
Posts: 3
Registered: ‎01-09-2017

Enable sentry since users have access to all schemas and table objects

We are on CDH 5.7.1, kerberos enabled, now Ad users can access the hue editor to view database schemas and run queries on hiv / impala.

 

The problem is users have access to all schemas / table objects,

 

Want to enable the sentry on HIVE.

 

Question: we are using Winbind (kerberos) can we enable the sentry. i read on enabling sentry article that cloudera does'nt support sentry on winbind.

 

will it work, can we be able to enable sentry. since cloudera says winbind has security issues, for that they don't support.

 

Thanks a lot for the helpful info.

 

Cloudera Employee
Posts: 23
Registered: ‎08-13-2014

Re: Enable sentry since users have access to all schemas and table objects

Hi,
If you've successfully configured winbind and are able to manage users on your cluster using this then there sentry ought to work. That said, as you pointed out it's not a supported cluster configuration. The quote below is taken from Cloudera's documentation and explains why this is the case:

"Cloudera does not support the use of Winbind in production environments. Winbind uses an inefficient approach to user/group mapping, which may lead to low performance or cluster failures as the size of the cluster, and the number of users and groups increases."

Regards,
Jim
Announcements