Reply
New Contributor
Posts: 3
Registered: ‎10-07-2016

Restrict column level access through sentry

Hi Team,

 

We got a requirement to set a Column level access in HBASE by using SENTRY? Can some one help me to provide the steps to restrict the unauthorized users in HBASE.

 

Thanks,

narasimhan

Posts: 519
Topics: 14
Kudos: 92
Solutions: 45
Registered: ‎09-02-2016

Re: Restrict column level access through sentry

Apache Sentry is a granular, "role-based" authorization module for Hadoop. Using Sentry we can set different privileges for SELECT, INSERT, and TRANSFORM statements and for creating and modifying schemas. But unfortunately it won't support column level controls.

 

Hope Apache Ranger can support column level. But to my knowledge, Sentry is suitable for Cloudera and Ranger is suitable for Hortonworks. 

 

Thanks

Kumar

Posts: 519
Topics: 14
Kudos: 92
Solutions: 45
Registered: ‎09-02-2016

Re: Restrict column level access through sentry

One correction to my previous comment on this topic. I have implemented Sentry in our test environment and setup roles to restrict column level access on Hive/Imapala table and it is working fine.

 

High level steps that i've followed (Note: I tried this for Hive/Impala. Hope there might be minor changes for Hbase):

 

1. Install Kerberos (Pre-request: for Sentry)
2. Enabling Kerberos Authentication for Hadoop (Pre-request: Kerberos Installation is different from enable Kerberos to Hadoop)
http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_intro_kerb.html

3. Add Sentry Service in cluster
4. Enable Sentry service for Hive & Impala.
http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_sentry_service.html
5. Create necessary groups, users in OS and match the same with Hue. You can try this manually for few users/group for testing purpose...


and try the below once you feel comfortable
If possible setup Access Control Lists (ACLs) for HDFS and try HDFS/Sentry synchronization
http://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_hdfs_ext_acls.html#xd_583c10bf...
http://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_hdfs_ext_acls.html#xd_583c10bf...
6. Finally login to Hue and setup Sentry Roles as needed

 

Thanks

Kumar

Posts: 177
Topics: 8
Kudos: 28
Solutions: 19
Registered: ‎07-16-2015

Re: Restrict column level access through sentry

[ Edited ]

Hi,

 

As far as I know Sentry is not integrated with HBase. So you can't manage authorization for HBase using Sentry.

Your only workaround would be to create "Hive table" using the HBaseStorangeHandler.

 

Then you would be able to manage authorization for that hive table using Hive queries. Any access using HBase directly would not be handled by Sentry.

 

By the way, here is a documentation on how to handle authorization in HBase (using HBase mechanism) :

https://www.cloudera.com/documentation/enterprise/5-8-x/topics/cdh_sg_hbase_authorization.html