Support Questions

Find answers, ask questions, and share your expertise

What AD groups are required planning to enable sentry authorization


We are now planning to enable sentry user authorization via Hue.


I am a bit confused an not sure, of this question.


What Ad groups are required with enabling sentry authorization.


I am trying to find of any document that gves those details on cloudera hadoop or google not finding.


I see a document on navigator where they mentioned of these below groups: are they really Ad groups? that needed to be created.


Here are the various groups, that are required: picked up from Cloudera Navigator document:
Auditor, Read-Only, Limited Operator, Operator, Configurator, Cluster Administrator ,BDR Administrator, Navigator Administrator, User Administrator, Key Administrator, Full Administrator



Thank you very much for the helpful info.


Those are roles for Navigator. You would assign users and/or groups to those roles.

In Sentry, you create the roles,, grant privileges to a role, and attached a group to a role. Then the users in said group would have the access specified for that role.

Effectively you need at least one group but it can be any AD group by any name. You will likely need more than just one to delegate access and control.

The groups which are to be created on cloudera navigator are not really
Network Active Directory groups of domain right?

The roles you mentioned for Navigator; those do not need to be created as AD groups.

New Contributor

A new bee in this big data world ...need some help here !...Our corporate AD is being integrated with kerberized Hadoop cluster. Just wanted to validate if this is how the entire setup works.


1. I have my corporate AD Groups with their Uid and Groups attached

2. We define a cross realm trust between kerberos to Cop AD to enable Hadoop cluster to use corp AD groups

3. Create Role on Sentry and give priviledges on data objects

4. Attach the AD groups to the Sentry for atatching the users to privledges