Sentry User Guide
Introduction:
Apache Sentry is an open-source Hadoop component released by Cloudera. It provides fine-grained, role-based authorization and multi-tenant management models. Sentry can currently be integrated with Hive/Hcatalog, Apache Solr and Cloudera Impala, providing the access control services for these components. Role-based access control (RBAC) creates roles and gives permissions of each component to this role, after which this role is added into the users (group). Therefore, the users will have access to the components. When Sentry is used to control Hive’s permissions, these components could be the entire server, a single DB, or a single table.
1.Login to the cluster using hive user
Note: (Replace uhadoop-sul4mhf4 with your cluster id when testing)
1.1 View all databases
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "show databases;"
1.2 View all roles
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "show roles;"
1.3 View current role
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "show current roles;"
1.4 View current user
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "select current_user();"
2. Grant admin permissions to hive user
2.1 Create admin role admin
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "CREATE ROLE admin;"
2.2 Grant all server permissions to the admin role
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive
> grant all on server `uhadoop-thp4pjtb-master1` to role admin;
2.3 Assign admin role to hive user
// After this step, the hive user can execute all data and permission operations as an administrator.
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "GRANT ROLE admin TO GROUP hive;"
3. Create test database (created by hive user)
3.1 Create test db1, db2
// Log in as an administrator user to create two databases, db1 and db2.
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "create database db1;create database db2;"
// Create a test table and insert data
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "create table db1.t1(id string);"
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "insert into db1.t1 values ('t1_001'),('t1_002');"
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "create table db2.t2(id string);"
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "insert into db2.t2 values ('t2_001'),('t2_002');"
3.2 Create Linux test user user1, user2 on master1, master2 node
useradd -M -s /sbin/nologin user1
useradd -M -s /sbin/nologin user2
3.3 Create two roles in hive and grant different role permissions, respectively
//Create role role1 and grant it management permission of db1
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "CREATE ROLE role1;"
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "grant all on database db1 to role role1 with grant option;"
//Create role role2 and grant it management permission of db2
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "CREATE ROLE role2;"
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "grant all on database db2 to role role2 with grant option;"
// show grant role role1; (Check the permission list of role1)
// show grant role role2; (Check the permission list of role2)
3.4 Admin user logs in to hive and assigns different roles to the two users
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "GRANT ROLE role1 TO GROUP user1;"
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n hive -e "GRANT ROLE role2 TO GROUP user2;"
//show role grant group user1 (Check the role list of user1)
// show role grant group user2 (Check the role list of user2)
4 Log in using user1 and user2 users to check roles segregation
//user1 login can only see db1 database
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n user1 -e "show databases;"
// user2 user login can only see db2 database
beeline -u "jdbc:hive2://uhadoop-sul4mhf4-master2:10000" -n user2 -e "show databases;"
5. Other Testing
5.1 Remove role from Group
REVOKE ROLE role1 FROM GROUP user1;
To delete a role
// First, check the role list
show roles
// Delete the role
drop role role2;
Role permission revoke
// Check the role's current authorization information first
show grant role role1;
// Revoke the operation permission of db1 from role1
revoke all on database db1 from role role1;
Authorization statement description:
Role assignment and revoke
GRANT ROLE role_name [, role_name] TO GROUP <groupName> [,GROUP <groupName>]
REVOKE ROLE role_name [, role_name] FROM GROUP <groupName> [,GROUP <groupName>]
Permission grant and revoke
GRANT <PRIVILEGE> [, <PRIVILEGE> ] ON <OBJECT> <object_name> TO ROLE <roleName> [,ROLE <roleName>]
REVOKE <PRIVILEGE> [, <PRIVILEGE> ] ON <OBJECT> <object_name> FROM ROLE <roleName> [,ROLE <roleName>]
Check role/group permissions
SHOW ROLES;
SHOW CURRENT ROLES;
SHOW ROLE GRANT GROUP <groupName>;
SHOW GRANT ROLE <roleName>;
SHOW GRANT ROLE <roleName> on OBJECT <objectName>;