MapR 5.0 Documentation : Configuring Impala to Use Sentry Authorization

You can configure Impala to work with Sentry for authorization. When you configure Sentry authorization for Impala, Impala uses operating system IDs to associate privileges with each user that runs the impala-shell or client program. You can configure Impala to use a policy file for privileges. 

Sentry Policy File (Sentry in File-Based Mode)

The Sentry policy file contains privileges for users and groups that determines privileges on schema objects. You put this file in a designated MapR-FS location and then provide the file location when you configure Impala to use Sentry authorization. When Impala starts, it reads the file and controls what objects that users who connect to Impala can access and what operations they can perform on the objects. Impala caches the security information from in the policy file every five minutes. If you make significant changes to security policies, restart Impala so that the changes become effective immediately.

For more information about Sentry Policy file configuration, refer to Configuring Sentry.

Before You Begin

Before you can configure Impala for Sentry authorization, you must have Hive and Sentry installed and configured to work together. 

The following table provides the MapR and component versions required when you want to configure Impala to use Sentry authorization:

ComponentVersion
MapR4.0.1
Impala1.4.1
Sentry1.4.0
Hive0.13

The following documents provide installation and configuration information for Sentry and Hive:

Configuring Impala to Use Sentry Authorization

To configure Impala to use Sentry authorization, edit the Impala env.sh configuration file, and add these options to the IMPALA_SERVER_ARGS declaration.

The following table lists the options with their descriptions:

OptionDescription
-server_name

This option turns on Sentry authorization for Impala. Specify the symbolic server name to use as the argument for this option. You must also specify this server name as the value for the sentry.hive.server property in the sentry-site.xml configuration file for Hive.

-authorization_policy_file

You can store privileges in an authorization policy file. When you specify this option, in addition to the server_name option, Impala reads privilege information from the policy file instead of a database. Specify the MapR-FS path to the policy file that contains the privilege information.

Complete the following steps to configure Impala to use Sentry authorization:

  1. Edit env.sh located in /opt/mapr/impala/impala-<version>/conf/.
  2. In the IMPALA_SERVER_ARGS declaration, add the following options:
    1. -server_name=<hive_server_2> \
    2. -authorization_policy_file=file:///opt/mapr/sentry/sentry-<version>/conf/<file-name>.ini \

      If the policy file is stored in MapR-FS, indicate the MapR-FS location using the following format:
           -authorization_policy_file=maprfs:///<path_to_policy_file>

  3. Restart the Impala server, statestore service, and catalog service. Refer to Managing Impala for instructions on how to start Impala.

    Impala does not start if it detects any issues in the authorization settings or the policy file.

  4. When Impala is running, you can issue the following command to start the impala-shell as a particular user:
    impala-shell -u <user_name>

Comments:

If you provide only this option to Impala, (without specifying policy file) Impala uses the Sentry service for authorization and reads privileges from a database. When Impala uses Sentry service, it relies on the results of GRANT and REVOKE statements issued through Hive.

This info related to Sentry DB mode. And it is currently not supported. For configure Sentry and Impala with current Sentry 1.4 release both properties should be specified

Posted by docs at Oct 29, 2015 05:32

Removed paragraph cited, as well as Note above table that said something similar, and changed lead-in wording from "add the the required option(s)" to "add these options"

Posted by jwolley at Oct 29, 2015 15:00