Configure Sqoop2 to use Sentry Authorization

As of Sentry 1.6.0, you can configure Sqoop2 to use Sentry authentication when Sentry uses the database storage model, the cluster is secure, and the cluster uses Kerberos authentication. Use these steps:

About this task

IMPORTANT This component is deprecated. Hewlett Packard Enterprise recommends using an alternate product. For more information, see Discontinued Ecosystem Components.

Procedure

  1. Add the following properties to the sentry-site.xml file (/opt/mapr/sentry/sentry-<version>/conf/sentry-site.xml): 
    <property>
                        <name>sentry.sqoop.provider.backend</name>
                        <value>org.apache.sentry.provider.db.generic.SentryGenericProviderBackend</value>
                        </property>  
                        
                        <property>
                        <name>sentry.service.allow.connect</name>
                        <value>mapr,sqoop</value>
                        <description>comma separated list of users - List of users that are allowed to connect to the service (eg Hive, Impala)</description>
                        </property>
  2. Configure the following properties in the sqoop.properties file (/opt/mapr/sqoop/sqoop-2.0.0/server/conf/sqoop.properties): 
    # Authentication configuration
                        org.apache.sqoop.security.authentication.type=KERBEROS
                        org.apache.sqoop.security.authentication.handler=org.apache.sqoop.security.authentication.KerberosAuthenticationHandler
                        org.apache.sqoop.security.authentication.kerberos.principal=mapr/<FQDN>@<REALM>
                        org.apache.sqoop.security.authentication.kerberos.keytab=/opt/mapr/conf/mapr.keytab
                        org.apache.sqoop.security.authentication.kerberos.http.principal=HTTP/<FQDN>@<REALM>
                        org.apache.sqoop.security.authentication.kerberos.http.keytab=/opt/mapr/conf/mapr.keytab
                        org.apache.sqoop.security.authentication.enable.doAs=true
                        org.apache.sqoop.security.authentication.proxyuser.mapr.users=*
                        org.apache.sqoop.security.authentication.proxyuser.mapr.groups=*
                        org.apache.sqoop.security.authentication.proxyuser.mapr.hosts=*
                        
                        # Authorization configuration
                        org.apache.sqoop.security.authorization.handler=org.apache.sentry.sqoop.authz.SentryAuthorizationHander
                        org.apache.sqoop.security.authorization.access_controller=org.apache.sentry.sqoop.authz.SentryAccessController
                        org.apache.sqoop.security.authorization.validator=org.apache.sentry.sqoop.authz.SentryAuthorizationValidator
                        org.apache.sqoop.security.authorization.server_name=SqoopServer1
                        sentry.sqoop.site.url=file:///opt/mapr/sqoop/sqoop-2.0.0/server/conf/sqoop-sentry-site.xml
  3. Copy the following JAR files from /opt/mapr/sentry/sentry-<version>/lib to /opt/mapr/sqoop/sqoop-2.0.0/server/webapps/sqoop/WEB-INF/lib/. (For Sqoop 1.99.7, use /opt/mapr/sqoop/sqoop-2.0.0/server/lib/):

    For Sentry Version 1.6.0

    • sentry-provider-db-1.6.0-incubating-mapr-1606.jar
    • shiro-core-1.2.1.jar
    • sentry-core-common-1.6.0-incubating-mapr-1606.jar
    • sentry-core-model-db-1.6.0-incubating-mapr-1606.jar
    • sentry-core-model-search-1.6.0-incubating-mapr-1606.jar
    • sentry-core-model-sqoop-1.6.0-incubating-mapr-1606.jar
    • sentry-provider-common-1.6.0-incubating-mapr-1606.jar
    • sentry-policy-common-1.6.0-incubating-mapr-1606.jar
    • libthrift-0.9.2.jar
    • sentry-provider-file-1.6.0-incubating-mapr-1606.jar
    • sentry-binding-sqoop-1.6.0-incubating-mapr-1606.jar
    • sentry-policy-sqoop-1.6.0-incubating-mapr-1606.jar

    For Sentry Version 1.7.0

    • sentry-provider-db-1.7.0-mapr-1703.jar
    • shiro-core-1.2.3.jar
    • sentry-core-common-1.7.0-mapr-1703.jar
    • sentry-core-model-db-1.7.0-mapr-1703.jar
    • sentry-core-model-search-1.7.0-mapr-1703.jar
    • sentry-core-model-sqoop-1.7.0-mapr-1703.jar
    • sentry-provider-common-1.7.0-mapr-1703.jar
    • sentry-policy-common-1.7.0-mapr-1703.jar
    • libthrift-0.9.2.jar
    • sentry-provider-file-1.7.0-mapr-1703.jar
    • sentry-binding-sqoop-1.7.0-mapr-1703.jar
    • sentry-policy-sqoop-1.7.0-mapr-1703.jar
  4. Create sqoop-sentry-site.xml in the /opt/mapr/sqoop/sqoop-2.0.0/server/conf/ directory. (If you use Sqoop 1.99.7, create sqoop-sentry-site.xml in the /opt/mapr/sqoop/sqoop-2.0.0/conf directory.)
  5. Add the following properties to the sqoop-sentry-site.xml: 
    <property>
                        <name>sentry.service.security.mode</name>
                        <value>kerberos</value>
                        </property>
                        
                        
                        <property>
                        <name>sentry.service.server.principal</name>
                        <value>mapr/<FQDN>@<REALM></value>
                        </property>
                        
                        <property>
                        <name>sentry.service.server.keytab</name>
                        <value>/opt/mapr/conf/mapr.keytab</value>
                        </property>
                        
                        <property>
                        <name>sentry.service.client.server.rpc-address</name>
                        <value>localhost</value>
                        </property>
                        
                        <property>
                        <name>sentry.service.client.server.rpc-port</name>
                        <value>8038</value>
                        </property>
                        
                        <property>
                        <name>sentry.sqoop.provider.backend</name>
                        <value>org.apache.sentry.provider.db.generic.SentryGenericProviderBackend</value>
                        </property>
                        
                        <property>
                        <name>sentry.service.admin.group</name>
                        <value>sqoop2,sqoop,hive,impala,solr,mapr</value>
                        </property>
  6. Start the Sqoop2 server: 
    maprcli node services -name sqoop2 -action start -nodes <space delimited list of nodes>