Apache Sentry is an authorization module for Hadoop that provides the granular, role-based authorization required to provide precise levels of access to authenticated users and applications. Sentry allows users to see only those objects for which they have privileges.

Storage Models

Sentry supports two models for storing policy rules:
Database storage (preferred)
As of Sentry 1.6-1602, you can configure Sentry to use the database storage mode. With this mode, the Sentry service provides access to read and maintain privileges and roles from a database.
File-based storage
Privileges and roles are accessed from and maintained in a policy file (global-policy.ini) which you can store on the MapR-FS. The following diagram illustrates the architecture of the file-based storage model:


Privileges are granted on different objects in the schema, including tables, databases, URIs and servers. The object hierarchy is set up like this, where objects inherit privileges from objects above them in the hierarchy:

Privileges and roles are specified in either a relational database (for database rule storage) or a global-policy.ini file (for file-based rule storage). The following examples show a global-policy.ini file along with the equivalent set of privileges and roles expressed in HiveSQL syntax.

Sample global-policy.ini File

# Assigns each Hadoop group to its set of roles  
manager = analyst_role, junior_analyst_role 
analyst = analyst_role 
jranalyst = junior_analyst_role 
customers_admin = customers_admin_role 
admin = admin_role

# The uris below define a landing pad which 
# the user can use to import or export data from the system. 
# Since the server runs as the user "hive," files in that directory 
# must either have read/write permissions set for the group hive 
# or have read/write permissions set for world. 
analyst_role = server=HS2->db=analyst1, \     
junior_analyst_role = server=HS2->db=jranalyst1, \     

# Implies everything on HS2.
admin_role = server=HS2