Configure Sqoop2 to use Sentry Authorization
As of Sentry 1.6.0, you can configure Sqoop2 to use Sentry authentication when Sentry uses the database storage model, the cluster is secure , and the cluster uses Kerberos authentication.
About this task
Procedure
-
Add the following properties to the sentry-site.xml file
(/opt/mapr/sentry/sentry-<version>/conf/sentry-site.xml):
<property> <name>sentry.sqoop.provider.backend</name> <value>org.apache.sentry.provider.db.generic.SentryGenericProviderBackend</value> </property> <property> <name>sentry.service.allow.connect</name> <value>mapr,sqoop</value> <description>comma separated list of users - List of users that are allowed to connect to the service (eg Hive, Impala)</description> </property>
-
Configure the following properties in the sqoop.properties file
(/opt/mapr/sqoop/sqoop-2.0.0/server/conf/sqoop.properties):
# Authentication configuration org.apache.sqoop.security.authentication.type=KERBEROS org.apache.sqoop.security.authentication.handler=org.apache.sqoop.security.authentication.KerberosAuthenticationHandler org.apache.sqoop.security.authentication.kerberos.principal=mapr/<FQDN>@<REALM> org.apache.sqoop.security.authentication.kerberos.keytab=/opt/mapr/conf/mapr.keytab org.apache.sqoop.security.authentication.kerberos.http.principal=HTTP/<FQDN>@<REALM> org.apache.sqoop.security.authentication.kerberos.http.keytab=/opt/mapr/conf/mapr.keytab org.apache.sqoop.security.authentication.enable.doAs=true org.apache.sqoop.security.authentication.proxyuser.mapr.users=* org.apache.sqoop.security.authentication.proxyuser.mapr.groups=* org.apache.sqoop.security.authentication.proxyuser.mapr.hosts=* # Authorization configuration org.apache.sqoop.security.authorization.handler=org.apache.sentry.sqoop.authz.SentryAuthorizationHander org.apache.sqoop.security.authorization.access_controller=org.apache.sentry.sqoop.authz.SentryAccessController org.apache.sqoop.security.authorization.validator=org.apache.sentry.sqoop.authz.SentryAuthorizationValidator org.apache.sqoop.security.authorization.server_name=SqoopServer1 sentry.sqoop.site.url=file:///opt/mapr/sqoop/sqoop-2.0.0/server/conf/sqoop-sentry-site.xml
-
Copy the following JAR files from /sentry/lib to
/opt/mapr/sqoop/sqoop-2.0.0/server/webapps/sqoop/WEB-INF/lib/:
- sentry-provider-db-1.6.0-incubating-SNAPSHOT.jar
- shiro-core-1.2.1.jar
- sentry-core-common-1.6.0-incubating-SNAPSHOT.jar
- sentry-core-model-db-1.6.0-incubating-SNAPSHOT.jar
- sentry-core-model-search-1.6.0-incubating-SNAPSHOT.jar
- sentry-core-model-sqoop-1.6.0-incubating-SNAPSHOT.jar
- sentry-provider-common-1.6.0-incubating-SNAPSHOT.jar
- sentry-policy-common-1.6.0-incubating-SNAPSHOT.jar
- libthrift-0.9.2.jar sentry-provider-file-1.6.0-incubating-SNAPSHOT.jar
- sentry-binding-sqoop-1.6.0-incubating-SNAPSHOT.jar
- sentry-policy-sqoop-1.6.0-incubating-SNAPSHOT.jar
- Create sqoop-sentry-site.xml in the /opt/mapr/sqoop/sqoop-2.0.0/server/conf/ directory.
-
Add the following properties to the sqoop-sentry-site.xml:
<property> <name>sentry.service.security.mode</name> <value>kerberos</value> </property> <property> <name>sentry.service.server.principal</name> <value>mapr/<FQDN>@<REALM></value> </property> <property> <name>sentry.service.server.keytab</name> <value>/opt/mapr/conf/mapr.keytab</value> </property> <property> <name>sentry.service.client.server.rpc-address</name> <value>localhost</value> </property> <property> <name>sentry.service.client.server.rpc-port</name> <value>8038</value> </property> <property> <name>sentry.sqoop.provider.backend</name> <value>org.apache.sentry.provider.db.generic.SentryGenericProviderBackend</value> </property> <property> <name>sentry.service.admin.group</name> <value>sqoop2,sqoop,hive,impala,solr,mapr</value> </property>
-
Start Sqoop2 server:
maprcli node services -name sqoop2 -action start -nodes <space delimited list of nodes>