MapR 5.0 Documentation : Configure Impala to Use Sentry Authorization

You can configure Impala to work with Sentry for authorization. When you configure Sentry authorization for Impala, Impala uses operating system IDs to associate privileges with each user that runs the impala-shell or client program.

The following table provides the MapR and component versions required when you want to configure Impala to use Sentry authorization:

ComponentVersions
MapR4.x, 5.05.0
Impala1.4.12.2.0
Sentry1.4.01.6.0
Hive0.131.2.1

Prerequisite

Before you can configure Impala for Sentry authorization, you must have Hive and Sentry installed and configured to work together. As of Sentry 1.4.0-1509, Hive is not automatically installed with Sentry.

Configuring Impala to Use Sentry Authorization With the Database Storage Model

As of Sentry 1.6, Sentry can be configured to use the Database storage model. Complete the following steps to configure Impala to use Sentry authentication when Sentry uses the DB storage model:

  1. Set the following properties in env.sh (/opt/mapr/impala/impala-<version>/conf/env.sh): 

    IMPALA_SERVER_ARGS=" \
    -server_name=HS2 \
    -sentry_config=<SENTRY-HOME> /conf/sentry-site.xml
    IMPALA_CATALOG_ARGS=" \
    -sentry_config=<SENTRY-HOME> /conf/sentry-site.xml
    IMPALA_STATE_STORE_ARGS="
    -sentry_config=<SENTRY-HOME> /conf/sentry-site.xml
  2. Run the following commands to restart Impala:

    sudo -u mapr maprcli node services -name impalaserver -action restart -nodes <nodename>
    sudo -u mapr maprcli node services -name impalastore -action restart -nodes <nodename>
    sudo -u mapr maprcli node services -name impalacatalog -action restart -nodes <nodename>
  3. When Impala is running, you can issue the following command to start the impala-shell as a particular user:

    impala-shell -u <user_name>

Configuring Impala to Use Sentry Authorization in File-Based Storage Model

When Impala starts, it reads the file and controls what objects that users who connect to Impala can access and what operations they can perform on the objects. Impala caches the security information from in the policy file every five minutes. If you make significant changes to security policies, restart Impala so that the changes become effective immediately.


Complete the following steps to configure Impala to use Sentry authorization when Sentry uses File-based storage model:

  1. Edit env.sh located in /opt/mapr/impala/impala-<version>/conf/.
  2. In the IMPALA_SERVER_ARGS declaration, add the following options:

    OptionDescription
    -server_name

    This option turns on Sentry authorization for Impala. Specify the symbolic server name to use as the argument for this option. You must also specify this server name as the value for the sentry.hive.server property in the sentry-site.xml configuration file for Hive.

    For example:
    -server_name=<hive_server_2>

    -authorization_policy_file

    You can store privileges in an authorization policy file. When you specify this option, in addition to the server_name option, Impala reads privilege information from the policy file instead of a database. Specify the MapR-FS path to the policy file that contains the privilege information. For example:
     -authorization_policy_file=file:///opt/mapr/sentry/sentry-/conf/.ini \

    If the policy file is stored in MapR-FS, indicate the MapR-FS location using the following format:
         -authorization_policy_file=maprfs:///<path_to_policy_file>

  3. Restart the Impala server, statestore service, and catalog service. 

    sudo -u mapr maprcli node services -name impalaserver -action restart -nodes <nodename>
    sudo -u mapr maprcli node services -name impalastore -action restart -nodes <nodename>
    sudo -u mapr maprcli node services -name impalacatalog -action restart -nodes <nodename>

    Impala does not start if it detects any issues in the authorization settings or the policy file.

  4. When Impala is running, you can issue the following command to start the impala-shell as a particular user:

    impala-shell -u <user_name>