Support Questions

Find answers, ask questions, and share your expertise

Role based authorization

avatar
Contributor

Hi,

 

What alternatives are there to authorization with hive/impala besides sentry?

 

Also, I am having difficulties setting up sentry as a service. The following is the guide I am using http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/sg_sentry_service_confi... The issue I run into is setting the path for "hive.sentry.conf.url" within the hive-site.xml. I am unable to find the sentry-site.xml, the closest file that I am able to find is the sentry-store-site.xml file. What is the difference between sentry-site.xml vs sentry-store-site.xml.

 

Thanks

1 ACCEPTED SOLUTION

avatar
Hi Jy,

Sentry only works on groups. You can always define a new group that just contains a single user to work around this. This is commonly (maybe always) defined for you already, so you might be able to just replace "user" with "group" and get that statement to do the logically equivalent thing.

Group management is configurable and is commonly either shell-based or LDAP-based. You can find it in HDFS configuration under the name "Hadoop User Group Mapping Implementation". If it is shell-based (the default), then you need to make it so your operating system recognizes the correct group membership for your users via standard OS user administration commands.

Thanks,
Darren

View solution in original post

6 REPLIES 6

avatar
Hi Jy,

I'm not aware of viable alternatives to Sentry.

Please ignore the section called "Configuring HiveServer2 for the Sentry Service" on that page. Also ignore "Configuring the Hive Metastore for the Sentry Service". Basically you should stop after the subsection "Enabling the Sentry service for Hive". Cloudera Manager will automatically configure HS2 and Hive Metastore Server to talk to sentry once you configure the Sentry Service as a dependency of Hive. I'll get that doc page clarified.

If you're using Impala, you also need to configure Impala to use Sentry (see "Enabling the Sentry Service for Impala"), but can ignore the section "Configuring Impala as a Client for the Sentry Service" since Cloudera Manager will do that for you automatically.

In general, to add arbitrary configuration to a file you need to use an Advanced Configuration Snippet for the correct file and role. See here for more information:
http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_mc_config_snippet.ht...

Thanks,
Darren

avatar
Contributor

Thanks, for the quick response. I removed all xml properties from the "Hive Service Advanced Configuration Snippet" (hive > service-wide > advanced) and from the "HiveServer2 Advanced Configuration Snippet" (hive > hiveserver2 base group > advanced). I enabled sentry as a dependent for hive (hive > service-wide), disabled hiveserver2 impersonation, and configured the settings in YARN then restarted/redeployed client configurations. Since I am not using kerberos or ldap at the moment (just testing role based authorization) I added the "sentry.hive.testing.mode" xml tags into the "Sentry Service Advanced Configuration Snippet" (sentry > service-wide > advanced).

 

When I launch hive or beeline through the CLI I receive the following errors when trying to view/create roles.

 

Capture.JPG

 

Capture.JPG

 

I feel that I am still configuring something wrong here. I am doing these configurations in the cloudera-quickstart-vm-5.2.0 (would like to get sentry working before pushing this out to our dev cluster).

 

Thanks

avatar
Hi Jy,

Unfortunately I can't see your images.

It sounds like you're doing the right things, though I didn't see the step to change HDFS permissions for the hive warehouse directory.

Make sure that you're using a Sentry superuser to work with roles, otherwise you'll get permission errors. See the "Admin Groups" config in Sentry for who is allowed to issue admin commands.

You'll need to use beeline to interact with the roles, not the old hive CLI.

Thanks,
Darren

avatar
Contributor

Thanks Darren, I think I have sentry setup correctly now. However, is it possible to grant roles to an individual user? or does a user always have to be part of a group. I received an error when I tried to do the following: "grant role super_user to user cloudera" (FAILED: SemanticException Sentry does not allow grant/revoke on: USER (state=42000,code=40000)).

 

Also, at what level do I add individual users to a group is this at the OS level or somewhere else? For example, I have user "cloudera" added in the user group and admin group within sentry. But lets say I have another user "bob" who I want to add to this group called "cloudera", where do I add "bob" for group cloudera?

 

Thanks

avatar
Hi Jy,

Sentry only works on groups. You can always define a new group that just contains a single user to work around this. This is commonly (maybe always) defined for you already, so you might be able to just replace "user" with "group" and get that statement to do the logically equivalent thing.

Group management is configurable and is commonly either shell-based or LDAP-based. You can find it in HDFS configuration under the name "Hadoop User Group Mapping Implementation". If it is shell-based (the default), then you need to make it so your operating system recognizes the correct group membership for your users via standard OS user administration commands.

Thanks,
Darren

avatar
New Contributor

Hi

thx alot;

when senrt enabled you can use command below to revoke permission from user

 

REVOKE ROLE role_name FROM GROUP user1 ;