Configure Hive to use Sentry Authorization
Configure Hive to use Sentry when you want to use Sentry authorization with Impala.
About this task
Complete the following steps to configure Hive to use Sentry authorization, and
create an admin
role for the mapr
user:
Procedure
-
Add the following properties to hive-site.xml:
<property> <name>hive.server2.session.hook</name> <value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value> </property> <property> <name>hive.sentry.conf.url</name> <value>file:///opt/mapr/sentry/sentry-<version>/conf/sentry-site.xml</value> <description>sentry-site.xml file location</description> </property> <property> <name>hive.metastore.rawstore.impl</name> <value>org.apache.sentry.binding.metastore.AuthorizingObjectStore</value> </property> <property> <name>hive.metastore.filter.hook</name> <value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value> </property> <property> <name>hive.server2.enable.doAs</name> <value>false</value> <description>Set this property to enable impersonation in Hive Server 2</description> </property> <property> <name>hive.metastore.execute.setugi</name> <value>true</value> </property> <property> <name>hive.internal.ss.authz.settings.applied.marker</name> <value>true</value> </property>
-
For Sentry version 1.6 and above, also add the following properties to
hive-site.xml:
<property> <name>hive.sentry.subject.name</name> <value>mapr</value> </property> <property> <name>hive.metastore.filter.hook</name> <value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value> </property> <property> <name>hive.internal.ss.authz.settings.applied.marker</name> <value>true</value> </property>
-
If Sentry uses the database storage model for rules, also add the following
properties to hive-site.xml:
<property> <name>hive.support.concurrency</name> <description>Enable Hive's Table Lock Manager Service</description> <value>true</value> </property> <property> <name>hive.security.authorization.task.factory</name> <value>org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl</value> </property> <property> <name>hive.metastore.rawstore.impl</name> <value>org.apache.sentry.binding.metastore.AuthorizingObjectStore</value> </property> <property> <name>hive.metastore.pre.event.listeners</name> <value>org.apache.sentry.binding.metastore.MetastoreAuthzBinding</value> <description>list of comma separated listeners for metastore events.</description> </property>
-
Restart HiveServer2 and the Hive Metastore:
sudo -u mapr maprcli node services -name hiveserver2 -action restart -nodes <nodename>
sudo -u mapr maprcli node services -name metastore -action restart -nodes <nodename>
-
If Sentry was configured to use the database storage model, issue the following
command to restart Sentry:
sudo -u mapr maprcli node services -name sentry -action restart -nodes <nodename>
-
Create the
admin
role.- For the database storage model, run the following commands from the Hive
beeline to create the admin role for the mapr user:
>create role admin_role;
>grant all on server HS2 to role admin_role;
>grant role admin_role to group mapr;
- For the file-based model, update the global-policy.ini file in <SENTRY-HOME>/conf. For
example:
[groups] mapr = admin_role testuser = test_role [roles] admin_role = server=HS2 test_role = server=HS2->db=test_db1->table=test_table->action=all
NOTE: If you include a non-existent mapping or path to a JAR file that represents a UDF (user-defined function) in any section of the global-policy.ini file, Sentry silently fails and cannot control access to Hive. For example, if you include a mapping to a role that does not exist in the [groups] section, Sentry fails. See Getting Started with Sentry in Hive for more information.
- For the database storage model, run the following commands from the Hive
beeline to create the admin role for the mapr user: