Sentry
Apache Sentry is an authorization module for Hadoop that provides the granular, role-based authorization required to provide precise levels of access to authenticated users and applications. Sentry allows users to see only those objects for which they have privileges.
Storage Models
- Database storage (preferred)
- As of Sentry 1.6-1602, you can configure Sentry to use the database storage mode. With this mode, the Sentry service provides access to read and maintain privileges and roles from a database.
- File-based storage
- Privileges and roles are accessed from and maintained in a policy file
(
global-policy.ini
) which you can store on the MapR filesystem. The following diagram illustrates the architecture of the file-based storage model:
Privileges
Privileges are granted on different objects in the schema, including tables, databases, URIs and servers. The object hierarchy is set up like this, where objects inherit privileges from objects above them in the hierarchy:
Privileges and roles are specified in either a relational database (for database rule
storage) or a global-policy.ini
file (for file-based rule storage). The
following examples show a global-policy.ini
file along with the
equivalent set of privileges and roles expressed in HiveSQL syntax.
Sample global-policy.ini File
[groups]
# Assigns each Hadoop group to its set of roles
manager = analyst_role, junior_analyst_role
analyst = analyst_role
jranalyst = junior_analyst_role
customers_admin = customers_admin_role
admin = admin_role
[roles]
# The uris below define a landing pad which
# the user can use to import or export data from the system.
# Since the server runs as the user "hive," files in that directory
# must either have read/write permissions set for the group hive
# or have read/write permissions set for world.
analyst_role = server=HS2->db=analyst1, \
server=HS2->db=jranalyst1->table=*->action=select
server=HS2->uri=maprfs:/landing/analyst1
junior_analyst_role = server=HS2->db=jranalyst1, \
server=HS2->uri=maprfs:/landing/jranalyst1
# Implies everything on HS2.
admin_role = server=HS2
Known Issues
- Upgrading Sentry
- If you are upgrading from Sentry in EEP
6.3.1 or EEP 7.0.0 to Sentry in the latest
EEP version, manually back up the
/conf
and/logs
directories located in SENTRY_HOME. After the upgrade completes, add those directories back into the SENTRY_HOME directory.
- Removing Sentry
- This issue applies to Sentry in EEP 6.3.1 and EEP 7.0.0.