Configure Hive to use Sentry Authorization
Configure Hive to use Sentry when you want to use Sentry authorization with Impala.
About this task
IMPORTANT This component is deprecated. Hewlett Packard
Enterprise recommends using an alternate product. For more information, see Discontinued Ecosystem Components.
Complete the following steps to configure Hive to use Sentry authorization, and
create an admin
role for the mapr
user:
Procedure
-
For Sentry 1.6.0 and Hive 1.2, add the following properties to
hive-site.xml
:<property> <name>hive.server2.session.hook</name> <value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value> </property> <property> <name>hive.sentry.conf.url</name> <value>file:///opt/mapr/sentry/sentry-<version>/conf/sentry-site.xml</value> <description>sentry-site.xml file location</description> </property> <property> <name>hive.metastore.rawstore.impl</name> <value>org.apache.sentry.binding.metastore.AuthorizingObjectStore</value> </property> <property> <name>hive.metastore.filter.hook</name> <value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value> </property> <property> <name>hive.server2.enable.doAs</name> <value>false</value> <description>Set this property to enable impersonation in Hive Server 2</description> </property> <property> <name>hive.metastore.execute.setugi</name> <value>true</value> </property> <property> <name>hive.sentry.subject.name</name> <value>mapr</value> </property> <property> <name>hive.stats.collect.scancols</name> <value>true</value> <description>Property for use column level privileges in Hive and Sentry Integration</description> </property>
NOTE Thehive.metastore.rawstore.impl
property is optional, but is recommended for metadata read protection. -
If Sentry uses the database storage model for rules, add the following
properties to
hive-site.xml
:<property> <name>hive.support.concurrency</name> <description>Enable Hive's Table Lock Manager Service</description> <value>true</value> </property> <property> <name>hive.zookeeper.quorum</name> <description>ZooKeeper quorum used by Hive's Table Lock Manager</description> <value>hostname</value> </property> <property> <name>hive.zookeeper.client.port</name> <description>The port where the clients connect</description> <value>5181</value> </property> <property> <name>hive.security.authorization.task.factory</name> <value>org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl</value> </property> <property> <name>hive.metastore.rawstore.impl</name> <value>org.apache.sentry.binding.metastore.AuthorizingObjectStore</value> </property> <property> <name>hive.metastore.pre.event.listeners</name> <value>org.apache.sentry.binding.metastore.MetastoreAuthzBinding</value> <description>list of comma separated listeners for metastore events.</description> </property>
-
To configure Sentry with Hive 2.1 or later, add the following properties to
HIVE_HOME/conf/hive-site.xml
:<property> <name>hive.server2.session.hook</name> <value>org.apache.sentry.binding.hive.v2.HiveAuthzBindingSessionHookV2</value> </property> <property> <name>hive.sentry.subject.name</name> <value>mapr</value> <description>sentry-site.xml file location</description> </property> <property> <name>hive.sentry.conf.url</name> <value>file:///opt/mapr/sentry/sentry-1.7.0/conf/sentry-site.xml</value> <description>sentry-site.xml file location</description> </property> <property> <name>hive.security.authorization.task.factory</name> <value>org.apache.sentry.binding.hive.v2.SentryHiveAuthorizationTaskFactoryImplV2</value> </property> <property> <name>hive.metastore.rawstore.impl</name> <value>org.apache.sentry.binding.hive.v2.metastore.AuthorizingObjectStoreV2</value> </property> <property> <name>hive.metastore.filter.hook</name> <value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value> </property> <property> <name>hive.server2.enable.doAs</name> <value>false</value> <description>Set this property to enable impersonation in Hive Server 2</description> </property> <property> <name>hive.metastore.execute.setugi</name> <value>true</value> </property> <property> <name>hive.internal.ss.authz.settings.applied.marker</name> <value>true</value> </property> <property> <name>hive.security.authorization.manager</name> <value>org.apache.sentry.binding.hive.v2.SentryAuthorizerFactory</value> </property> <property> <name>hive.security.authenticator.manager</name> <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value> </property> <property> <name>hive.security.authorization.enabled</name> <value>true</value> </property> <property> <name>hive.metastore.pre.event.listeners</name> <value>org.apache.sentry.binding.hive.v2.metastore.MetastoreAuthzBindingV2</value> <description>list of comma separated listeners for metastore events.</description> </property> <property> <name>hive.metastore.event.listeners</name> <value>org.apache.sentry.binding.hive.v2.metastore.SentryMetastorePostEventListenerV2</value> <description>list of comma separated listeners for metastore, post events.</description> </property> <property> <name>hive.zookeeper.client.port</name> <value>5181</value> <description>The Zookeeper client port. The MapR default clientPort is 5181.</description> </property> <property> <name>hive.zookeeper.quorum</name> <description>Zookeeper quorum used by Hive's Table Lock Manager</description> <value><!--host with Zookeper--></value> </property>
-
Restart HiveServer2 and the Hive Metastore:
sudo -u mapr maprcli node services -name hs2 -action restart -nodes <nodename> sudo -u mapr maprcli node services -name hivemeta -action restart -nodes <nodename>
-
If Sentry was configured to use the database storage model, issue the following
command to restart Sentry:
sudo -u mapr maprcli node services -name sentry -action restart -nodes <nodename>
-
Create the
admin
role.- For the database storage model, run the following commands from the Hive
beeline to create the admin role for the mapr user:
>create role admin_role; >grant all on server HS2 to role admin_role; >grant role admin_role to group mapr;
- For the file-based model, update the The global-policy.ini File in
/opt/mapr/sentry/sentry-<version>/conf
. For example:[groups] mapr = admin_role testuser = test_role [roles] admin_role = server=HS2 test_role = server=HS2->db=test_db1->table=test_table->action=all
NOTE If you include a non-existent mapping or path to a JAR file that represents a UDF (user-defined function) in any section of theglobal-policy.ini
file, Sentry silently fails and cannot control access to Hive. For example, if you include a mapping to a role that does not exist in the[groups]
section, Sentry fails. For more information, see Getting Started with Sentry in Hive.
- For the database storage model, run the following commands from the Hive
beeline to create the admin role for the mapr user: