table of Contents
1, Sentry and hive configuration
2 Sentry configuration and impala,
3, Sentry configuration and hue
1, Sentry and hive configuration
This article describes the process based on the rough ClouderaManager configured to Sentry Hive Impala and in the CDH 5.14.
In Sentry, the rights can only be granted to roles, are specified as belonging to one or more groups, when a character is mounted to the user group, the user within the group that has the appropriate permissions. Permissions -> Roles -> User Group -> User permissions How can a show last owned by a user, from rights to the roles, and then to user groups is through grant / revoke SQL statements to grant. Sentry administrator can set up a group belongs to all users belonging to the administrators group have the ability administrator.
1. Disable impersonationin HiveServer2:
Hive Services -> Configuration ----> range -> HiveServer2-> Categories -> Main ----> Cancel HiveServer2 enable impersonation, as shown below:
2. Add the hive to allow users of the system user (Allowed System Users) Jobs can be submitted to the Yarn:
YARN Services -> Configuration -> range -> NodeManager-> Categories -> Security -> Allow system users (Allowed System Users), if no hive users, add users hive, and then restart the service Yarn (Yarn all the nodes NodeManage do so) as shown below:
3. start Sentry service Hive service:
Hive service -> configuration ----> range - > Hive (services) -> categories -> main ----> SentryService-> Sentry select
restart Hive services.
4. Start Sentry 3 each service impala / hue service.
5. The hive / impala / hue services administrator added to the Sentry Group:
Sentry Services -> Configuration ----> range -> Sentry (Services) -> Categories -> Main ----> administrators group ( adminGroups) -> add hive / impala / hue. Figure:
6. Testing mode on hive services:
Hive Services -> Configuration ----> range -> Hive (Services) -> Categories -> Main ----> Advanced -> sentry-site.xml of hive services advanced configuration code segment, as shown: [sentry.hive.testing.mode]
Note: if open testing mode, when you start Sentry services may be given:
FAILED: InvalidConfigurationExceptionhive.server2.authentication can’t be none in non-testing mode
Note: The Sentry service starts, due to the Hive CLI does not support the Sentry it is recommended that prohibit the use of Hive queries should be performed Hive query using Beeline. Sentry configuration of SQL statements must also be authorized in Beeline client. SQL Sentry concerning the authorization statements refer to the Hive SQL Syntax for Use with Sentry.
2 Sentry configuration and impala,
3, Sentry configuration and hue
In order to be able to modify the roles and permissions in hue, a hue group the user belongs must admin on sentry among the group.
For example: hue user yuhui belong to the admin group, it would need to be added to the admin group sentry_service_admin_group configuration.
In addition, we also need to modify the following configuration:
sentry_service_allow_connect 添加 yuhui
sentry_service_admin_group 添加 admin
Reference http://gethue.com/apache-sentry-made-easy-with-the-new-hue-security-app/
configured as follows:
The results are as follows: