Configure Sqoop2 to use Sentry Authorization
As of Sentry 1.6.0, you can configure Sqoop2 to use Sentry authentication when Sentry uses the database storage model, the cluster is secure, and the cluster uses Kerberos authentication. Use these steps:
About this task
IMPORTANT This component is deprecated. Hewlett Packard
Enterprise recommends using an alternate product. For more information, see Discontinued Ecosystem Components.
Procedure
-
Add the following properties to the
sentry-site.xml
file (/opt/mapr/sentry/sentry-<version>/conf/sentry-site.xml
):<property> <name>sentry.sqoop.provider.backend</name> <value>org.apache.sentry.provider.db.generic.SentryGenericProviderBackend</value> </property> <property> <name>sentry.service.allow.connect</name> <value>mapr,sqoop</value> <description>comma separated list of users - List of users that are allowed to connect to the service (eg Hive, Impala)</description> </property>
-
Configure the following properties in the
sqoop.properties
file (/opt/mapr/sqoop/sqoop-2.0.0/server/conf/sqoop.properties
):# Authentication configuration org.apache.sqoop.security.authentication.type=KERBEROS org.apache.sqoop.security.authentication.handler=org.apache.sqoop.security.authentication.KerberosAuthenticationHandler org.apache.sqoop.security.authentication.kerberos.principal=mapr/<FQDN>@<REALM> org.apache.sqoop.security.authentication.kerberos.keytab=/opt/mapr/conf/mapr.keytab org.apache.sqoop.security.authentication.kerberos.http.principal=HTTP/<FQDN>@<REALM> org.apache.sqoop.security.authentication.kerberos.http.keytab=/opt/mapr/conf/mapr.keytab org.apache.sqoop.security.authentication.enable.doAs=true org.apache.sqoop.security.authentication.proxyuser.mapr.users=* org.apache.sqoop.security.authentication.proxyuser.mapr.groups=* org.apache.sqoop.security.authentication.proxyuser.mapr.hosts=* # Authorization configuration org.apache.sqoop.security.authorization.handler=org.apache.sentry.sqoop.authz.SentryAuthorizationHander org.apache.sqoop.security.authorization.access_controller=org.apache.sentry.sqoop.authz.SentryAccessController org.apache.sqoop.security.authorization.validator=org.apache.sentry.sqoop.authz.SentryAuthorizationValidator org.apache.sqoop.security.authorization.server_name=SqoopServer1 sentry.sqoop.site.url=file:///opt/mapr/sqoop/sqoop-2.0.0/server/conf/sqoop-sentry-site.xml
-
Copy the following JAR files from
/opt/mapr/sentry/sentry-<version>/lib
to/opt/mapr/sqoop/sqoop-2.0.0/server/webapps/sqoop/WEB-INF/lib/
. (For Sqoop 1.99.7, use/opt/mapr/sqoop/sqoop-2.0.0/server/lib/
):For Sentry Version 1.6.0
sentry-provider-db-1.6.0-incubating-mapr-1606.jar
shiro-core-1.2.1.jar
sentry-core-common-1.6.0-incubating-mapr-1606.jar
sentry-core-model-db-1.6.0-incubating-mapr-1606.jar
sentry-core-model-search-1.6.0-incubating-mapr-1606.jar
sentry-core-model-sqoop-1.6.0-incubating-mapr-1606.jar
sentry-provider-common-1.6.0-incubating-mapr-1606.jar
sentry-policy-common-1.6.0-incubating-mapr-1606.jar
libthrift-0.9.2.jar
sentry-provider-file-1.6.0-incubating-mapr-1606.jar
sentry-binding-sqoop-1.6.0-incubating-mapr-1606.jar
sentry-policy-sqoop-1.6.0-incubating-mapr-1606.jar
For Sentry Version 1.7.0
sentry-provider-db-1.7.0-mapr-1703.jar
shiro-core-1.2.3.jar
sentry-core-common-1.7.0-mapr-1703.jar
sentry-core-model-db-1.7.0-mapr-1703.jar
sentry-core-model-search-1.7.0-mapr-1703.jar
sentry-core-model-sqoop-1.7.0-mapr-1703.jar
sentry-provider-common-1.7.0-mapr-1703.jar
sentry-policy-common-1.7.0-mapr-1703.jar
libthrift-0.9.2.jar
sentry-provider-file-1.7.0-mapr-1703.jar
sentry-binding-sqoop-1.7.0-mapr-1703.jar
sentry-policy-sqoop-1.7.0-mapr-1703.jar
-
Create
sqoop-sentry-site.xml
in the/opt/mapr/sqoop/sqoop-2.0.0/server/conf/
directory. (If you use Sqoop 1.99.7, createsqoop-sentry-site.xml
in the/opt/mapr/sqoop/sqoop-2.0.0/conf
directory.) -
Add the following properties to the
sqoop-sentry-site.xml
:<property> <name>sentry.service.security.mode</name> <value>kerberos</value> </property> <property> <name>sentry.service.server.principal</name> <value>mapr/<FQDN>@<REALM></value> </property> <property> <name>sentry.service.server.keytab</name> <value>/opt/mapr/conf/mapr.keytab</value> </property> <property> <name>sentry.service.client.server.rpc-address</name> <value>localhost</value> </property> <property> <name>sentry.service.client.server.rpc-port</name> <value>8038</value> </property> <property> <name>sentry.sqoop.provider.backend</name> <value>org.apache.sentry.provider.db.generic.SentryGenericProviderBackend</value> </property> <property> <name>sentry.service.admin.group</name> <value>sqoop2,sqoop,hive,impala,solr,mapr</value> </property>
-
Start the Sqoop2 server:
maprcli node services -name sqoop2 -action start -nodes <space delimited list of nodes>