Building a Sentry Client

[Suvodeep Pyne <sp...@linkedin.com.INVALID>]

Hello

I am working on an internal project here at LinkedIn and we are
investigating Apache Sentry as a possible authentication/authorization
engine.

Are there any good examples of Java Sentry clients? There are tutorials
about enabling Sentry on Hive but this seems specific to Cloudera
distributions. Is there code for the main hive dist as well? Would be great
if anybody could give some pointers regarding this.

Also as an evaluator. I was curious on the advantages that Sentry has over
other similar projects like Apache Ranger for example.

Thanks a ton for your time!

Regards
Suvodeep

Re: Building a Sentry Client

[Lenni Kuff <ls...@cloudera.com>]

On Fri, Jul 24, 2015 at 12:53 PM, Sravya Tirukkovalur <sr...@cloudera.com>
wrote:

> Hi Suvodeep,
>
> Thanks for your interest!
>
> So SentryPolicyServiceClientDefaultImpl
> <
> https://github.com/apache/incubator-sentry/blob/master/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
> >
> is the default Java Client for Sentry Service. And SimpleDBProviderBackend
> <
> https://github.com/apache/incubator-sentry/blob/master/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
> >
> is
> an example to use this client. And Sentry is actually using upstream Hive
> <https://github.com/apache/incubator-sentry/blob/master/pom.xml#L71>
> (1.1.0)
>
> I am definitely not an expert on all the similar projects but I think
> Sentry provides unified authorization for multiple projects in Hadoop eco
> system at a much deeper level. For example, it has capability of syncing
> sentry permissions with HDFS ACLs so that there is just one source of
> truth.
>

To expend on this a bit - the HDFS ACL sync feature in Sentry allows the
Sentry privileges to be applied to the underlying data files of Hive
Metastore tables. This means that all data access paths to the table
location via Spark, Pig, Sqoop, native MR, etc will be enforced using *the
same set of privileges*, allowing the datasets to be shared between
components without managing HDFS ACLs directly.

Another differentiating factor is that Ranger does not actually support the
logical concept of a "role". In Ranger, privileges are granted directly to
users/groups. Sentry roles are incredibly useful when it comes to policy
management since they allow you to setup pre-defined profiles (roles) such
as "db_admin", "read_only_user", etc and grant (or revoke) the roles to
multiple groups. This can be managed using familiar tools like the Hue UI
or via SQL standard GRANT/REVOKE statements in Hive/Impala.

Let us know if you have any questions -  we are happy to help you get up to
speed in the community.

Thanks,
Lenni



>
> On Wed, Jul 22, 2015 at 1:32 PM, Suvodeep Pyne <spyne@linkedin.com.invalid
> >
> wrote:
>
> > Hello
> >
> > I am working on an internal project here at LinkedIn and we are
> > investigating Apache Sentry as a possible authentication/authorization
> > engine.
> >
> > Are there any good examples of Java Sentry clients? There are tutorials
> > about enabling Sentry on Hive but this seems specific to Cloudera
> > distributions. Is there code for the main hive dist as well? Would be
> great
> > if anybody could give some pointers regarding this.
> >
> > Also as an evaluator. I was curious on the advantages that Sentry has
> over
> > other similar projects like Apache Ranger for example.
> >
> > Thanks a ton for your time!
> >
> > Regards
> > Suvodeep
> >
>
>
>
> --
> Sravya Tirukkovalur
>

Re: Building a Sentry Client

[Sravya Tirukkovalur <sr...@cloudera.com>]

Hi Suvodeep,

Thanks for your interest!

So SentryPolicyServiceClientDefaultImpl
<https://github.com/apache/incubator-sentry/blob/master/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java>
is the default Java Client for Sentry Service. And SimpleDBProviderBackend
<https://github.com/apache/incubator-sentry/blob/master/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java>
is
an example to use this client. And Sentry is actually using upstream Hive
<https://github.com/apache/incubator-sentry/blob/master/pom.xml#L71>
(1.1.0)

I am definitely not an expert on all the similar projects but I think
Sentry provides unified authorization for multiple projects in Hadoop eco
system at a much deeper level. For example, it has capability of syncing
sentry permissions with HDFS ACLs so that there is just one source of truth.

On Wed, Jul 22, 2015 at 1:32 PM, Suvodeep Pyne <sp...@linkedin.com.invalid>
wrote:

> Hello
>
> I am working on an internal project here at LinkedIn and we are
> investigating Apache Sentry as a possible authentication/authorization
> engine.
>
> Are there any good examples of Java Sentry clients? There are tutorials
> about enabling Sentry on Hive but this seems specific to Cloudera
> distributions. Is there code for the main hive dist as well? Would be great
> if anybody could give some pointers regarding this.
>
> Also as an evaluator. I was curious on the advantages that Sentry has over
> other similar projects like Apache Ranger for example.
>
> Thanks a ton for your time!
>
> Regards
> Suvodeep
>



-- 
Sravya Tirukkovalur