Support Questions

cjervis · ‎09-22-2020

Hello Everyone,

Is there a way to permit SELECT only impala queries in HUE without enabling and configuring Sentry service? (maybe in OS level)

The problem with enabling Sentry is that I have to first enable Kerberos and before that renaming some of my nodes.

There is the option to enable Sentry testing mode but Cloudera does not recommend that in production environments.

Tim Armstrong · ‎09-22-2020

Sentry testing mode would be your only option that I can think of.

The problem with using Sentry without Kerberos or LDAP authentication is that it doesn't provide any real security since the client isn't authenticated. So we don't recommend in production because it provides the illusion of security but no security.

pphot · ‎09-23-2020

Thank you for your reply Tim.

Just to clarify, security-wise, are we better off with our current configuration (default), with sentry service disabled, or with sentry enabled in testing mode?

You mentioned that sentry in testing mode does not authenticate the clients, but in the documentation it is mentioned that testing mode uses weaker authentication mechanisms.

We need this in order to prevent our analysts from doing accidental writes, drops, etc. on the data.

Our cluster is in a secure isolated environment.

Cloudera Community

Support Questions

Create Select Only user in HUE / Impala without enabling Sentry