Configuring Sentry Policy File Authorization Using Cloudera Manager

This topic describes how to configure Sentry policy files and enable policy file authorization for CDH services using Cloudera Manager.

Configuring User to Group Mappings

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Hadoop Groups

  1. Go to the Hive service.
  2. Click the Configuration tab.
  3. Select Scope > Hive (Service-Wide).
  4. Select Category > Policy File Based Sentry.
  5. Locate the Sentry User to Group Mapping Class property or search for it by typing its name in the Search box.
  6. Set the Sentry User to Group Mapping Class property to org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider.
  7. Click Save Changes.
  8. Restart the Hive service.

Local Groups

  1. Define local groups in the [users] section of the Policy File. For example: 
    [users]
user1 = group1, group2, group3
user2 = group2, group3
  2. Modify Sentry configuration as follows:
    1. Go to the Hive service.
    2. Click the Configuration tab.
    3. Select Scope > Hive (Service-Wide).
    4. Select Category > Policy File Based Sentry.
    5. Locate the Sentry User to Group Mapping Class property or search for it by typing its name in the Search box.
    6. Set the Sentry User to Group Mapping Class property to org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider.
    7. Click Save Changes.
    8. Restart the Hive service.

Enabling URIs for Per-DB Policy Files

The ADD JAR command does not work with HiveServer2 and the Beeline client when Beeline runs on a different host. As an alternative to ADD JAR, Hive's auxiliary paths functionality should be used as described in the following steps. Add the following string to the Java configuration options for HiveServer2 during startup. 
-Dsentry.allow.uri.db.policyfile=true

Using User-Defined Functions with HiveServer2

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

The ADD JAR command does not work with HiveServer2 and the Beeline client when Beeline runs on a different host. As an alternative to ADD JAR, Hive's auxiliary paths functionality should be used. There are some differences in the procedures for creating permanent functions and temporary functions. For detailed instructions, see Registering a UDF in Hive.

Enabling Policy File Authorization for Hive

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

  1. See Before You Install Sentry to verify the prerequisites.
  2. Setting Hive Warehouse Directory Permissions
    The Hive warehouse directory (/user/hive/warehouse or any path you specify as hive.metastore.warehouse.dir in your hive-site.xml) must be owned by the Hive user and group (hive:hive).
    • Using the default Hive warehouse directory - Permissions on the warehouse directory must be set as follows (see following Note for caveats):
      • 771 on the directory itself (by default, /user/hive/warehouse)
      • 771 on all subdirectories (for example, /user/hive/warehouse/mysubdir)
      • All files and subdirectories should be owned by hive:hive
      For example: 
      $ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse
$ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
      If you have enabled Kerberos on your cluster, you must kinit as the hdfs user before you set permissions. For example: 
      sudo -u hdfs kinit -kt hdfs.keytab hdfs
sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse
$ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
    • Using a non-default Hive warehouse: To use a different directory for the Hive warehouse, specify the directory path in the hive.metastore.warehouse.dir property and set the permissions on the new directory, as shown in this example: 
      $ hdfs dfs -chown hive:hive /data
$ hdfs dfs -chmod 771 /data

      For Sentry/HDFS sync to work as expected, add the new warehouse URL to the list of Sentry Synchronization Path Prefixes.

  3. Disable impersonation for HiveServer2:
    1. Go to the Hive service.
    2. Click the Configuration tab.
    3. Select Scope > HiveServer2.
    4. Select Category > All.
    5. Locate the HiveServer2 Enable Impersonation property or search for it by typing its name in the Search box.
    6. Under the HiveServer2 role group, clear the HiveServer2 Enable Impersonation property.
    7. Click Save Changes to commit the changes.
  4. Create the Sentry policy file, sentry-provider.ini, as an HDFS file.
  5. Enable the Hive user to submit MapReduce jobs.
    1. Go to the MapReduce service.
    2. Click the Configuration tab.
    3. Select Scope > TaskTracker.
    4. Select Category > Security.
    5. Locate the Minimum User ID for Job Submission property or search for it by typing its name in the Search box.
    6. Set the Minimum User ID for Job Submission property to 0 (the default is 1000).
    7. Click Save Changes to commit the changes.
    8. Repeat steps 5.a-5.d for every TaskTracker role group for the MapReduce service that is associated with Hive, if more than one exists.
    9. Restart the MapReduce service.
  6. Enable the Hive user to submit YARN jobs.
    1. Go to the YARN service.
    2. Click the Configuration tab.
    3. Select Scope > NodeManager.
    4. Select Category > Security.
    5. Ensure the Allowed System Users property includes the hive user. If not, add hive.
    6. Click Save Changes to commit the changes.
    7. Repeat steps 6.a-6.d for every NodeManager role group for the YARN service that is associated with Hive, if more than one exists.
    8. Restart the YARN service.
  7. Go to the Hive service.
  8. Click the Configuration tab.
  9. Select Scope > Hive (Service-Wide).
  10. Select Category > Policy File Based Sentry.
  11. Select Enable Sentry Authorization Using Policy Files.
  12. Click Save Changes to commit the changes.
  13. Add the Hive user group to Sentry's admin groups.
    1. Go to the Sentry service.
    2. Click the Configuration tab.
    3. Select Scope > Sentry (Service-Wide).
    4. Select Category > Main.
    5. Locate the Admin Groups property and add the hive group to the list. If an end user is in one of these admin groups, that user has administrative privileges on the Sentry Server.
    6. Click Save Changes to commit the changes.
  14. Restart the cluster and HiveServer2 after changing these values, whether you use Cloudera Manager or not.

Configuring Group Access to the Hive Metastore

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

You can configure the Hive Metastore to reject connections from users not listed in the Hive group proxy list (in HDFS). If you do not configure this override, the Hive Metastore will use the value in the core-site HDFS configuration. To configure the Hive group proxy list:
  1. Go to the Hive service.
  2. Click the Configuration tab.
  3. Select Scope > Hive (Service-Wide).
  4. Select Category > Proxy.
  5. In the Hive Metastore Access Control and Proxy User Groups Override property, specify a list of groups whose users are allowed to access the Hive Metastore. If you do not specify "*" (wildcard), you will be warned if the groups do not include hive and impala (if the Impala service is configured) in the list of groups.
  6. Click Save Changes.
  7. Restart the Hive service.

Enabling Policy File Authorization for Impala

For a cluster managed by Cloudera Manager, perform the following steps to enable policy file authorization for Impala.
  1. Enable Sentry's policy file based authorization for Hive. For details, see Enabling Policy File Authorization for Hive.
  2. Go to the Cloudera Manager Admin Console and go to the Impala service.
  3. Click the Configuration tab.
  4. Select Scope > Impala (Service-Wide).
  5. Select Category > Policy File-Based Sentry.
  6. Select Enable Sentry Authorization Using Policy Files.
  7. Click Save Changes to commit the changes.
  8. Restart the Impala service.
  9. Add the Impala user group to Sentry's admin groups.
    1. Go to the Sentry service.
    2. Click the Configuration tab.
    3. Select Scope > Sentry (Service-Wide).
    4. Select Category > Main.
    5. Locate the Admin Groups property and add the impala group to the list. If an end user is in one of these admin groups, that user has administrative privileges on the Sentry Server.
    6. Click Save Changes to commit the changes.
For more details, see Starting the impalad Daemon with Sentry Authorization Enabled.

Enabling Sentry Policy File Authorization for Solr

Minimum Required Role: Full Administrator

  1. Ensure the following requirements are satisfied:
    • Cloudera Search 1.1.1 or higher or CDH 5 or higher.
    • A secure Hadoop cluster.
  2. Create the policy file sentry-provider.ini as an HDFS file. When you create the policy file sentry-provider.ini follow the instructions in the Policy File section in Solr Authentication. The file must be owned by owned by the solr user in the solr group, with perms=600. By default Cloudera Manager assumes the policy file is in the HDFS location /user/solr/sentry. To configure the location:
    1. Go to the Solr service.
    2. Click the Configuration tab.
    3. Select Scope > SOLR (Service-Wide).
    4. Select Category > Policy File Based Sentry.
    5. Locate the Sentry Global Policy File property.
    6. Modify the path in the Sentry Global Policy File property.
    7. Select Enable Sentry Authorization.
    8. Click Save Changes.
  3. Restart the Solr service.

For more details, see Configuring Sentry Authorization for Cloudera Search.

Configuring Sentry to Enable BDR Replication

Cloudera recommends the following steps when configuring Sentry and data replication is enabled.

  • Group membership should be managed outside of Sentry (as OS and LDAP groups are typically managed) and replication for them also should be handled outside of Cloudera Manager.
  • In Cloudera Manager, set up HDFS replication for the Sentry files of the databases that are being replicated (separately using Hive/Impala replication).
  • On the source cluster:
    • Use a separate Sentry policy file for every database
    • Avoid placing any group or role info (except for server admin info) in the global Sentry policy file (to avoid manual replication/merging with the global file on the target cluster)
    • To avoid manual fix up of URI privileges, ensure that the URIs for the data are the same on both the source and target cluster
  • On the target cluster:
    • In the global Sentry policy file, manually add the DB name - DB file mapping entries for the databases being replicated
    • Manually copy the server admin info from the global Sentry policy file on the source to the policy on the target cluster
    • For the databases being replicated, avoid adding more privileges (adding tables specific to target cluster may sometimes require adding extra privileges to allow access to those tables). If any target cluster specific privileges absolutely need to be added for a database, add them to the global Sentry policy file on the target cluster since the per database files would be overwritten periodically with source versions during scheduled replication.