You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Darren Lo <dl...@cloudera.com> on 2014/06/04 17:16:08 UTC
Re: Sentry for Hive Authorization
Hi Silaphet,
All files in HDFS need to be owned by the hive group, which should include
the impala user, and should not have world read or write permissions.
Here's the CM docs for Sentry (with links to CDH guides if not using CM):
http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM5/latest/Cloudera-Manager-Managing-Clusters/cm5mc_sentry_config.html
This is absolutely necessary and part of the design of Sentry. When using
Sentry, you only rely on HDFS permissions to ensure that only impala and
HiveServer2 can access the data on disk. Impala and HiveServer2 will
enforce the sentry permissions. HDFS permissions are not used to enforce
Sentry policies (that would be impossible).
Thanks,
Darren
On Wed, Jun 4, 2014 at 5:23 AM, Gmail <km...@gmail.com> wrote:
> Hi Sentey forum
>
> Can anyone please help? So far the only option I have is all files in HDFS
> needs to be owned by impala user. This should not need and the
> authentication should be done by Sentry.
>
> Thanks
> Silaphet
>
> Sent from my iPhone
>
> On Jun 3, 2014, at 1:36 PM, Darren Lo <dl...@cloudera.com> wrote:
>
> Including the sentry mailing list, which can better answer more advanced
> sentry questions.
>
>
> On Mon, Jun 2, 2014 at 6:42 PM, Silaphet Mounkhaty <km...@gmail.com>
> wrote:
>
>> Hi Darren or Jayant,
>>
>> I decided to define LDAP users/groups in policy file and load the file
>> into HDFS and I am getting very close to get it working correctly. Our
>> security requirement is to create external tables and pointing these tables
>> to external files in HDFS. Here is example of policy file:
>>
>> [groups]
>>
>> analytics=analyst
>>
>> [roles]
>> analyst=server=server1->db=research , \
>> server=server1->uri=hdfs://
>> hostname.domain.com:8020/data/analyst->action=*
>>
>> then I load tab1.csv into HDFS as /data/analyst/tab1.csv
>>
>> Impala user needs to be able to read this tab1.cvs file. how can I give
>> read access to this file without either making Impala to be the owner of
>> this file or adding Impala to analytics group?
>>
>> If I set Impala to be owner of tabl1.csv file then everything was working
>> well.
>>
>> Please help.
>>
>> Thanks,
>> Silaphet
>>
>>
>>
>>
>> On Thu, May 29, 2014 at 8:15 PM, Darren Lo <dl...@cloudera.com> wrote:
>>
>>> Hi Silaphet,
>>>
>>> Glad you've been having a good experience with Sentry so far!
>>>
>>> As you suspected, you should configure LDAP group mappings in the HDFS
>>> service, then in Hive configuration set hive.sentry.provider
>>> to org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider
>>> so it'll use the same groups that the rest of the hadoop cluster uses. When
>>> you change the group provider, then the groups defined in your policy files
>>> will no longer have any effect.
>>>
>>> To configure HDFS to use LDAP for group mappings, see:
>>>
>>> http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM5/latest/Configuring-Hadoop-Security-with-Cloudera-Manager/cm5chs_ldap_grp_mappings.html
>>>
>>> Thanks,
>>> Darren
>>>
>>>
>>> On Thu, May 29, 2014 at 7:32 PM, Silaphet Mounkhaty <
>>> kmounkhaty@gmail.com> wrote:
>>>
>>>> Hi Impala Forum,
>>>>
>>>> I was testing Role based access control with Sentry by using Cloudera
>>>> VM and it was working beautifully. Since testing with Cloudera VM, I had to
>>>> create local Linux groups and users to define groups and roles in policy
>>>> file.
>>>>
>>>> However, when enabling Sentry on my real test cluster with five nodes
>>>> where Linux groups and users are authenticated by LDAP AD which means no
>>>> local groups and users. When I defined groups, users, roles in policy file,
>>>> I can't get access to any databases when logging into impala-shell.
>>>>
>>>> Do I have to configure LDAP group mappings in HDFS service? if not, is
>>>> there another option available?
>>>>
>>>> Again, on my test cluster, Linux groups and users are authenticated by
>>>> LDAP AD.
>>>>
>>>> Please help.
>>>>
>>>> Thanks,
>>>> Silaphet
>>>>
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to impala-user+unsubscribe@cloudera.org.
>>>>
>>>
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to impala-user+unsubscribe@cloudera.org.
>>>
>>
>> To unsubscribe from this group and stop receiving emails from it, send
>> an email to impala-user+unsubscribe@cloudera.org.
>>
>
> To unsubscribe from this group and stop receiving emails from it, send an
> email to impala-user+unsubscribe@cloudera.org.
>
> To unsubscribe from this group and stop receiving emails from it, send an
> email to impala-user+unsubscribe@cloudera.org.
>