Created on 01-06-2015 11:36 AM - edited 09-16-2022 02:17 AM
What alternatives are there to authorization with hive/impala besides sentry?
Also, I am having difficulties setting up sentry as a service. The following is the guide I am using http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/sg_sentry_service_confi... The issue I run into is setting the path for "hive.sentry.conf.url" within the hive-site.xml. I am unable to find the sentry-site.xml, the closest file that I am able to find is the sentry-store-site.xml file. What is the difference between sentry-site.xml vs sentry-store-site.xml.
Created 01-06-2015 12:44 PM
Created 01-06-2015 01:38 PM
Thanks, for the quick response. I removed all xml properties from the "Hive Service Advanced Configuration Snippet" (hive > service-wide > advanced) and from the "HiveServer2 Advanced Configuration Snippet" (hive > hiveserver2 base group > advanced). I enabled sentry as a dependent for hive (hive > service-wide), disabled hiveserver2 impersonation, and configured the settings in YARN then restarted/redeployed client configurations. Since I am not using kerberos or ldap at the moment (just testing role based authorization) I added the "sentry.hive.testing.mode" xml tags into the "Sentry Service Advanced Configuration Snippet" (sentry > service-wide > advanced).
When I launch hive or beeline through the CLI I receive the following errors when trying to view/create roles.
I feel that I am still configuring something wrong here. I am doing these configurations in the cloudera-quickstart-vm-5.2.0 (would like to get sentry working before pushing this out to our dev cluster).
Created 01-06-2015 02:17 PM
Created 01-06-2015 05:13 PM
Thanks Darren, I think I have sentry setup correctly now. However, is it possible to grant roles to an individual user? or does a user always have to be part of a group. I received an error when I tried to do the following: "grant role super_user to user cloudera" (FAILED: SemanticException Sentry does not allow grant/revoke on: USER (state=42000,code=40000)).
Also, at what level do I add individual users to a group is this at the OS level or somewhere else? For example, I have user "cloudera" added in the user group and admin group within sentry. But lets say I have another user "bob" who I want to add to this group called "cloudera", where do I add "bob" for group cloudera?
Created 09-18-2020 02:26 AM
when senrt enabled you can use command below to revoke permission from user
REVOKE ROLE role_name FROM GROUP user1 ;