Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Restrict column level access through sentry

Restrict column level access through sentry

New Contributor

Hi Team,

 

We got a requirement to set a Column level access in HBASE by using SENTRY? Can some one help me to provide the steps to restrict the unauthorized users in HBASE.

 

Thanks,

narasimhan

3 REPLIES 3

Re: Restrict column level access through sentry

Champion

Apache Sentry is a granular, "role-based" authorization module for Hadoop. Using Sentry we can set different privileges for SELECT, INSERT, and TRANSFORM statements and for creating and modifying schemas. But unfortunately it won't support column level controls.

 

Hope Apache Ranger can support column level. But to my knowledge, Sentry is suitable for Cloudera and Ranger is suitable for Hortonworks. 

 

Thanks

Kumar

Re: Restrict column level access through sentry

Champion

One correction to my previous comment on this topic. I have implemented Sentry in our test environment and setup roles to restrict column level access on Hive/Imapala table and it is working fine.

 

High level steps that i've followed (Note: I tried this for Hive/Impala. Hope there might be minor changes for Hbase):

 

1. Install Kerberos (Pre-request: for Sentry)
2. Enabling Kerberos Authentication for Hadoop (Pre-request: Kerberos Installation is different from enable Kerberos to Hadoop)
http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_intro_kerb.html

3. Add Sentry Service in cluster
4. Enable Sentry service for Hive & Impala.
http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_sentry_service.html
5. Create necessary groups, users in OS and match the same with Hue. You can try this manually for few users/group for testing purpose...


and try the below once you feel comfortable
If possible setup Access Control Lists (ACLs) for HDFS and try HDFS/Sentry synchronization
http://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_hdfs_ext_acls.html#xd_583c10bf...
http://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_hdfs_ext_acls.html#xd_583c10bf...
6. Finally login to Hue and setup Sentry Roles as needed

 

Thanks

Kumar

Re: Restrict column level access through sentry

Super Collaborator

Hi,

 

As far as I know Sentry is not integrated with HBase. So you can't manage authorization for HBase using Sentry.

Your only workaround would be to create "Hive table" using the HBaseStorangeHandler.

 

Then you would be able to manage authorization for that hive table using Hive queries. Any access using HBase directly would not be handled by Sentry.

 

By the way, here is a documentation on how to handle authorization in HBase (using HBase mechanism) :

https://www.cloudera.com/documentation/enterprise/5-8-x/topics/cdh_sg_hbase_authorization.html