Reply
Highlighted
Expert Contributor
Posts: 162
Registered: ‎09-29-2014

hive impersonation and sentry

[ Edited ]

HiveServer2 impersonation must be turned off. HiveServer2 impersonation lets users execute queries and access HDFS files as the connected user rather than as the super user. Access policies are applied at the file level using the HDFS permissions specified in ACLs (access control lists). Enabling HiveServer2 impersonation bypasses Sentry from the end-to-end authorization process. Specifically, although Sentry enforces access control policies on tables and views within the Hive warehouse, it does not control access to the HDFS files that underlie the tables. This means that users without Sentry permissions to tables in the warehouse may nonetheless be able to bypass Sentry authorization checks and execute jobs and queries against tables in the warehouse as long as they have permissions on the HDFS files supporting the table.

 

 

 

the above text is from document, i just wonder why "Enabling HiveServer2 impersonation bypasses Sentry from the end-to-end authorization process" ? who can give some advises ? thanks.

Cloudera Employee
Posts: 624
Registered: ‎03-23-2015

Re: hive impersonation and sentry

The point of sentry is to only allow users with specific permission to access certain things. To do that, sentry needs to manage everything by itself, not by end users.

This is why we need to make the hive warehouse to be owned by "hive:hive" and 771, so that no end users can modify anything that hive and sentry control.

Enabling impersonation will make the end user to create files owned by them, which makes "hive" user not able to manage those files/directories and user has direct access to them. That will break what sentry is designed to do.

Hope above makes sense.

Cheers