Configuring Impala to Use Sentry Authorization

To configure Impala to use Sentry authorization, edit the Impala env.sh configuration file, and add these options to the IMPALA_SERVER_ARGS declaration.

The following table lists the options with their descriptions:

Option Description
-server_name

This option turns on Sentry authorization for Impala. Specify the symbolic server name to use as the argument for this option. You must also specify this server name as the value for the sentry.hive.server property in the sentry-site.xml configuration file for Hive.

-authorization_policy_file

You can store privileges in an authorization policy file. When you specify this option, in addition to the server_name option, Impala reads privilege information from the policy file instead of a database. Specify the MapR-FS path to the policy file that contains the privilege information.

Complete the following steps to configure Impala to use Sentry authorization:

  1. Edit env.sh located in /opt/mapr/impala/impala-<version>/conf/.
  2. In the IMPALA_SERVER_ARGS declaration, add the following options:
    1. -server_name=<hive_server_2> \
    2. -authorization_policy_file=file:///opt/mapr/sentry/sentry-<version>/conf/<file-name>.ini \
      WARNING: If the policy file is stored in MapR-FS, indicate the MapR-FS location using the following format: -authorization_policy_file=maprfs:///<path_to_policy_file>
  3. Restart the Impala server, statestore service, and catalog service. Refer to Managing Impala for instructions on how to start Impala.
    WARNING: Impala does not start if it detects any issues in the authorization settings or the policy file.
  4. When Impala is running, you can issue the following command to start the impala-shell as a particular user: impala-shell -u <user_name>