Sentry

IMPORTANT This component is deprecated. Hewlett Packard Enterprise recommends using an alternate product. For more information, see Discontinued Ecosystem Components.
IMPORTANT MapR officially supports Sentry with Impala, Hive, Sqoop2, and Hue if you purchase Impala support and configure Impala to use Sentry.

Apache Sentry is an authorization module for Hadoop that provides the granular, role-based authorization required to provide precise levels of access to authenticated users and applications. Sentry allows users to see only those objects for which they have privileges.

Storage Models

Sentry supports two models for storing policy rules:
Database storage (preferred)
As of Sentry 1.6-1602, you can configure Sentry to use the database storage mode. With this mode, the Sentry service provides access to read and maintain privileges and roles from a database.
File-based storage
Privileges and roles are accessed from and maintained in a policy file (global-policy.ini) which you can store on the MapR filesystem. The following diagram illustrates the architecture of the file-based storage model:


Privileges

Privileges are granted on different objects in the schema, including tables, databases, URIs and servers. The object hierarchy is set up like this, where objects inherit privileges from objects above them in the hierarchy:



Privileges and roles are specified in either a relational database (for database rule storage) or a global-policy.ini file (for file-based rule storage). The following examples show a global-policy.ini file along with the equivalent set of privileges and roles expressed in HiveSQL syntax.

Sample global-policy.ini File

[groups] 
        # Assigns each Hadoop group to its set of roles  
        manager = analyst_role, junior_analyst_role 
        analyst = analyst_role 
        jranalyst = junior_analyst_role 
        customers_admin = customers_admin_role 
        admin = admin_role
        
        [roles] 
        # The uris below define a landing pad which 
        # the user can use to import or export data from the system. 
        # Since the server runs as the user "hive," files in that directory 
        # must either have read/write permissions set for the group hive 
        # or have read/write permissions set for world. 
        analyst_role = server=HS2->db=analyst1, \     
        server=HS2->db=jranalyst1->table=*->action=select         
        server=HS2->uri=maprfs:/landing/analyst1 
        junior_analyst_role = server=HS2->db=jranalyst1, \     
        server=HS2->uri=maprfs:/landing/jranalyst1  
        
        # Implies everything on HS2.
        admin_role = server=HS2

Known Issues

Upgrading Sentry
If you are upgrading from Sentry in EEP 6.3.1 or EEP 7.0.0 to Sentry in the latest EEP version, manually back up the /conf and /logs directories located in SENTRY_HOME. After the upgrade completes, add those directories back into the SENTRY_HOME directory.
You can see the /conf and /logs directories listed in the Sentry installation directory, as shown:
ll /opt/mapr/sentry/sentry-1.7.0
total 76
drwxr-xr-x 2 mapr mapr  4096 Jan  5 13:34 bin
-rw-r--r-- 1 mapr mapr 15211 Jan  5 10:26 CHANGELOG.txt
drwxr-xr-x 2 mapr mapr  4096 Jan  5 13:34 conf
drwxr-xr-x 2 mapr mapr  4096 Jan  5 13:34 conf.d
drwxr-xr-x 2 mapr mapr  4096 Jan  5 13:34 conf.new
drwxr-xr-x 4 mapr mapr 12288 Jan  5 13:34 lib
-rw-r--r-- 1 mapr mapr 16000 Jan  5 10:26 LICENSE.txt
drwxr-xr-x 2 mapr mapr  4096 Jan  5 13:34 logs
-rw-r--r-- 1 mapr mapr   388 Jan  5 10:26 NOTICE.txt
-rw-r--r-- 1 mapr mapr  1580 Jan  5 10:26 README.md
drwxr-xr-x 3 mapr mapr  4096 Jan  5 13:34 scripts
See Pre-Upgrade Steps for Sentry and Upgrading Sentry.
Removing Sentry
This issue applies to Sentry in EEP 6.3.1 and EEP 7.0.0.
If you try to remove Sentry on an Ubuntu OS before the Sentry process has started (the Sentry process does not exist), the system may return the following error message:
...
dpkg: error processing package mapr-sentry (--purge):
 subprocess installed pre-removal script returned error exit status 1
Errors were encountered while processing:
 mapr-sentry
E: Sub-process /usr/bin/dpkg returned an error code (1)
...
As a workaround, to completely remove Sentry on an Ubuntu OS, run:
sudo mv /var/lib/dpkg/info/mapr-sentry.* /tmp/
sudo dpkg --remove --force-remove-reinstreq mapr-sentry
sudo rm -rf /opt/mapr/sentry/