we recently installed spark2 in our CDH 5.13.0 cluster. Our tests show that sentry roles are not being applied .
so are you saying that we need Sentry HMS plugin and Sentry HDFS ACL Sync enabled ? for spark programs to have Sentry roles enabled ?
If Sentry is enabled, the HMS plugin should already be applied, so metadata write/modification queries are already authorized no matter where they come from (Hive, Impala, Spark, etc.).
The direct HDFS access to table files that Spark requires can only be granted to the end-users if you have Sentry HDFS ACL Sync enabled, such that the ACLs are applied for all granted role groups on the HDFS level automatically, allowing normal read/write access.