10-07-2016 07:45 AM
We got a requirement to set a Column level access in HBASE by using SENTRY? Can some one help me to provide the steps to restrict the unauthorized users in HBASE.
12-02-2016 10:37 AM
Apache Sentry is a granular, "role-based" authorization module for Hadoop. Using Sentry we can set different privileges for SELECT, INSERT, and TRANSFORM statements and for creating and modifying schemas. But unfortunately it won't support column level controls.
Hope Apache Ranger can support column level. But to my knowledge, Sentry is suitable for Cloudera and Ranger is suitable for Hortonworks.
12-12-2016 02:15 PM
One correction to my previous comment on this topic. I have implemented Sentry in our test environment and setup roles to restrict column level access on Hive/Imapala table and it is working fine.
High level steps that i've followed (Note: I tried this for Hive/Impala. Hope there might be minor changes for Hbase):
1. Install Kerberos (Pre-request: for Sentry)
2. Enabling Kerberos Authentication for Hadoop (Pre-request: Kerberos Installation is different from enable Kerberos to Hadoop)
3. Add Sentry Service in cluster
4. Enable Sentry service for Hive & Impala.
5. Create necessary groups, users in OS and match the same with Hue. You can try this manually for few users/group for testing purpose...
and try the below once you feel comfortable
If possible setup Access Control Lists (ACLs) for HDFS and try HDFS/Sentry synchronization
6. Finally login to Hue and setup Sentry Roles as needed
12-19-2016 03:51 AM - edited 12-19-2016 03:54 AM
As far as I know Sentry is not integrated with HBase. So you can't manage authorization for HBase using Sentry.
Your only workaround would be to create "Hive table" using the HBaseStorangeHandler.
Then you would be able to manage authorization for that hive table using Hive queries. Any access using HBase directly would not be handled by Sentry.
By the way, here is a documentation on how to handle authorization in HBase (using HBase mechanism) :