This page explains how to configure Sentry in these sections:

Configuring Sentry and Hive for File-based Storage Mode

 

When Sentry operates in file-based storage mode, it works as a batch of java-libraries that are used by Hive. It does not run as a service and is not integrated with Warden or with the MapR Control System. Sentry only runs as a service when you choose the database storage model. 

These instructions explain how to configure Hive to use Sentry in file-based storage mode.

  1. Edit the hive-site.xml file (located at /opt/mapr/hive/hive-<version>/conf) and set properties as shown:

    <property>
      <name> hive.server2.session.hook </name>
      <value> org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook </value>
    </property>
    
    <property>
      <name> hive.sentry.conf.url </name>
      <value> file:///opt/mapr/sentry/sentry-<version>/conf/sentry-site.xml </value>
      <description> sentry-site.xml file location </description>
    </property>
    
    <property>
      <name> hive.metastore.execute.setugi </name>
      <value> true </value>
    </property>
  2. Edit the sentry-site.xml file and set properties as shown:

    <property>
      <name> sentry.hive.provider.backend </name>
      <value> org.apache.sentry.provider.file.SimpleFileProviderBackend </value>
      <description> The privilege provider to be used (either file-based or db-based). </description>
    </property>
     
    <property>
      <name> sentry.hive.provider.resource </name>
      <value> file:///opt/mapr/sentry/sentry-<version>/conf/global-policy.ini </value>
      <description> Provides location of the policy file. If the policy file is in MAPR-FS, then the URL should start from next schema: 'maprfs:///'. </description>
    </property>

Configuring Sentry and Impala for File-based Storage Mode

For Impala to work with Sentry, follow these steps:

  1. Edit the env.sh file located at /opt/mapr/impala/impala-<version>/conf/env.sh and add these two lines after IMPALA_SERVER_ARGS=" \:

    -server_name=HS2 \
    -authorization_policy_file=file:///opt/mapr/sentry/sentry-<version>/conf/<file-name>.ini \

    If <file-name>.ini is stored at MapR-FS, the URL should start with 'maprfs:///'.

  2. Restart impalaserver, impalastore, and impalacatalog.

The global-policy.ini File

The default global-policy.ini file defines the admin_role, which gives full access to the Hiveserver2 server for the mapr user. The file is located in /opt/mapr/sentry/sentry-<version>/conf in your local file system. You can relocate the file to MapR-FS if you prefer. By default, this file contains these sections:

 

[groups]
mapr = admin_role
 
[roles]
admin_role = server=HS2

 

You can also define separate policy files for a particular database, where you specify roles and privileges for that database. Database-specific roles and privileges are defined in a [databases] section, as shown in these examples:

Sample sentry-provider.ini File

[databases]
# Defines the location of the per-DB policy file for the customer's DB or schema
customers = /etc/sentry/customers.ini
 
[groups]
customers_admin = customers_admin_role
 
[roles]
customers_admin_role = server=HS2->db=customers

Sample customers.ini File

[groups]
manager = customers_insert_role, customers_select_role
analyst = customers_select_role
 
[roles]
customers_insert_role = server=HS2->db=customers->table=*->action=insert
customers_select_role = server=HS2->db=customers->table=*->action=select