You can configure Impala to work with Sentry for authorization. When you configure Sentry authorization for Impala, Impala uses operating system IDs to associate privileges with each user that runs the impala-shell or client program. You can configure Impala to use a policy file for privileges.
Sentry Policy File (Sentry in File-Based Mode)
The Sentry policy file contains privileges for users and groups that determines privileges on schema objects. You put this file in a designated MapR-FS location and then provide the file location when you configure Impala to use Sentry authorization. When Impala starts, it reads the file and controls what objects that users who connect to Impala can access and what operations they can perform on the objects. Impala caches the security information from in the policy file every five minutes. If you make significant changes to security policies, restart Impala so that the changes become effective immediately.
For more information about Sentry Policy file configuration, refer to Configuring Sentry.
Before You Begin
Before you can configure Impala for Sentry authorization, you must have Hive and Sentry installed and configured to work together.
The following table provides the MapR and component versions required when you want to configure Impala to use Sentry authorization:
The following documents provide installation and configuration information for Sentry and Hive:
Configuring Impala to Use Sentry Authorization
To configure Impala to use Sentry authorization, edit the Impala
env.sh configuration file, and add these options to the
The following table lists the options with their descriptions:
This option turns on Sentry authorization for Impala. Specify the symbolic server name to use as the argument for this option. You must also specify this server name as the value for the
|You can store privileges in an authorization policy file. When you specify this option, in addition to the |
Complete the following steps to configure Impala to use Sentry authorization:
- In the
IMPALA_SERVER_ARGSdeclaration, add the following options:
If the policy file is stored in MapR-FS, indicate the MapR-FS location using the following format:
Restart the Impala server, statestore service, and catalog service. Refer to Managing Impala for instructions on how to start Impala.
Impala does not start if it detects any issues in the authorization settings or the policy file.
- When Impala is running, you can issue the following command to start the impala-shell as a particular user:
impala-shell -u <user_name>