MapR 5.0 Documentation : Configure Hive to use Sentry Authorization

Configure Hive to use Sentry authorization when you want to use Sentry authorization with Impala. Complete the following steps to configure Hive to use Sentry authorization and also to create an admin role for the mapr user. 

  1. Add the following properties to hive-site.xml:

    <property>
      <name>hive.server2.session.hook</name>
      <value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value>
    </property>
    
    <property>
      <name>hive.sentry.conf.url</name>
      <value>file:///opt/mapr/sentry/sentry-<version>/conf/sentry-site.xml</value>
      <description>sentry-site.xml file location</description>
    </property>
    
    <property>
      <name>hive.metastore.rawstore.impl</name>
      <value>org.apache.sentry.binding.metastore.AuthorizingObjectStore</value>
    </property>
    
    <property>
      <name>hive.metastore.filter.hook</name>
      <value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value>
    </property>
    
    <property>
      <name>hive.server2.enable.doAs</name>
      <value>false</value>
      <description>Set this property to enable impersonation in Hive Server 2</description>
    </property>
    
    <property>
      <name>hive.metastore.execute.setugi</name>
      <value>true</value>
    </property>
    
    <property>
      <name>hive.internal.ss.authz.settings.applied.marker</name>
      <value>true</value>
    </property>
    
    
    
  2. For Sentry version 1.6 and above, also add the following properties to hive-site.xml:

    <property>
      <name>hive.sentry.subject.name</name>
      <value>mapr</value>
    </property>
    
    <property>
      <name>hive.metastore.filter.hook</name>
      <value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value>
    </property>
    
    <property>
      <name>hive.internal.ss.authz.settings.applied.marker</name>
      <value>true</value>
    </property>
    
  3. If Sentry uses the DB storage model for rules, also add the following properties to hive-site.xml:

    <property>
      <name>hive.support.concurrency</name>
      <description>Enable Hive's Table Lock Manager Service</description>
      <value>true</value>
    </property>
    
    <property>
      <name>hive.security.authorization.task.factory</name>
      <value>org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl</value>
    </property>
    
    <property>
      <name>hive.metastore.rawstore.impl</name>
      <value>org.apache.sentry.binding.metastore.AuthorizingObjectStore</value>
    </property>
    
    <property>
      <name>hive.metastore.pre.event.listeners</name>
      <value>org.apache.sentry.binding.metastore.MetastoreAuthzBinding</value>
      <description>list of comma separated listeners for metastore events.</description>
    </property>
    
  4. Restart HiveServer2 and Hive Metastore:

    sudo -u mapr maprcli node services -name hiveserver2 -action restart -nodes <nodename>
    sudo -u mapr maprcli node services -name metastore -action restart -nodes <nodename>
  5. Restart Sentry: 

    sudo -u mapr maprcli node services -name sentry -action restart -nodes <nodename> 
  6. Create the admin role.

    • For the DB-based storage model, run the following commands from the Hive beeline to create the admin role for the mapr user:

      >create role admin_role;
      >grant all on server HS2 to role admin_role;
      >grant role admin_role to group mapr;
    • For the File-based model, update the global-policy.ini file in <SENTRY-HOME>/conf. 
      For example:

      [groups]
      mapr = admin_role
      testuser = test_role
      [roles]
      admin_role = server=HS2
      test_role = server=HS2->db=test_db1->table=test_table->action=all