The Sentry Service
The Sentry service is a RPC server that stores the authorization metadata in an underlying relational database and provides RPC interfaces to retrieve and manipulate privileges. It supports secure access to services using Kerberos. The service serves authorization metadata from the database backed storage; it does not handle actual privilege validation. The Hive, Impala, and Solr services are clients of this service and will enforce Sentry privileges when configured to use Sentry.
The motivation behind introducing a new Sentry service is to make it easier to handle user privileges than the existing policy file approach. Providing a service instead of a file allows you to use the more traditional GRANT/REVOKE statements to modify privileges.
- Column-level access control for tables in Hive and Impala. Previously, Sentry supported privilege granularity only down to a table. Hence, if you wanted to restrict access to a column of sensitive data, the workaround would be to first create view for a subset of columns, and then grant privileges on that view. To reduce the administrative overhead associated with such an approach, Sentry now allows you to assign the SELECT privilege on a subset of columns in a table.
- Support for Configs, which are objects that contain all Solr configuration information. For more information on Configs, see Understanding configs and instancedirs.
In CDH 5.8 Cloudera Search adds support for storing permissions in the Sentry service. You can enable storing permissions in the Sentry service by Enabling Sentry Policy File Authorization for Solr. If you have already configured Sentry's policy file-based approach, you can migrate existing authorization settings as described in Migrating from Sentry Policy Files to the Sentry Service. solrctl has been extended to support:
- Migrating existing policy files to the Sentry service
- Managing managing permissions in the Sentry service
- Prerequisites
- Terminology
- Privilege Model
- User to Group Mapping
- Appendix: Authorization Privilege Model for Hive and Impala
- Appendix: Authorization Privilege Model for Solr
For more information on installing, upgrading and configuring the Sentry service, see:
Prerequisites
- CDH 5.1.x (or higher) managed by Cloudera Manager 5.1.x (or higher). See the Cloudera Manager Administration Guide and Cloudera Installation and Upgrade for instructions.
- HiveServer2 and the Hive Metastore running with strong authentication. For HiveServer2, strong authentication is either Kerberos or LDAP. For the Hive Metastore, only Kerberos is considered strong authentication (to override, see Securing the Hive Metastore).
- Impala 1.4.0 (or higher) running with strong authentication. With Impala, either Kerberos or LDAP can be configured to achieve strong authentication.
- Cloudera Search for CDH 5.1.0 or higher. Solr supports using Sentry beginning with CDH 5.1.0. Different functionality is added
at different releases:
- Sentry with policy files is added in CDH 5.1.0.
- Sentry with config support is added in CDH 5.5.0.
- Sentry with database-backed Sentry service is added with CDH 5.8.0.
- Implement Kerberos authentication on your cluster. For instructions, see Enabling Kerberos Authentication Using the Wizard.
Terminology
- An object is an entity protected by Sentry's authorization rules. The objects supported in the current release are server, database, table, URI, collection, and config.
- A role is a collection of rules for accessing a given object.
- A privilege is granted to a role to govern access to an object. With CDH 5.5, Sentry allows you to assign the SELECT privilege to
columns (only for Hive and Impala). Supported privileges are:
Table 1. Valid privilege types and the objects they apply to Privilege Object INSERT DB, TABLE SELECT DB, TABLE, COLUMN UPDATE COLLECTION, CONFIG QUERY COLLECTION, CONFIG ALL SERVER, TABLE, DB, URI, COLLECTION, CONFIG - A user is an entity that is permitted by the authentication subsystem to access the service. This entity can be a Kerberos principal, an LDAP userid, or an artifact of some other supported pluggable authentication system.
- A group connects the authentication system with the authorization system. It is a collection of one or more users who have been granted one or more authorization roles. Sentry allows a set of roles to be configured for a group.
- A configured group provider determines a user’s affiliation with a group. The current release supports HDFS-backed groups and locally configured groups.
Privilege Model
- Allows any user to execute show function, desc function, and show locks.
- Allows the user to see only those tables, databases, collections, configs for which this user has privileges.
- Requires a user to have the necessary privileges on the URI to execute HiveQL operations that take in a location. Examples of such operations include LOAD, IMPORT, and EXPORT.
- Privileges granted on URIs are recursively applied to all subdirectories. That is, privileges only need to be granted on the parent directory.
- CDH 5.5 introduces column-level access control for tables in Hive and Impala. Previously, Sentry supported privilege granularity only down to a table. Hence, if you wanted to restrict access to a column of sensitive data, the workaround would be to first create view for a subset of columns, and then grant privileges on that view. To reduce the administrative overhead associated with such an approach, Sentry now allows you to assign the SELECT privilege on a subset of columns in a table.
- When Sentry is enabled, you must use Beeline to execute Hive queries. Hive CLI is not supported with Sentry and must be disabled.
- When Sentry is enabled, a user with no privileges on a database will not be allowed to connect to HiveServer2. This is because the use <database> command is now executed as part of the connection to HiveServer2, which is why the connection fails. See HIVE-4256.
For more information, see Appendix: Authorization Privilege Model for Hive and Impala.
User to Group Mapping
Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)
Group mappings in Sentry can be summarized as in the figure below.
Irrespective of the mechanism used, user/group mappings must be applied consistently across all cluster hosts for ease with maintenance.
Appendix: Authorization Privilege Model for Hive and Impala
Privileges can be granted on different objects in the Hive warehouse. Any privilege that can be granted is associated with a level in the object hierarchy. If a privilege is granted on a container object in the hierarchy, the base object automatically inherits it. For instance, if a user has ALL privileges on the database scope, then (s)he has ALL privileges on all of the base objects contained within that scope.
Object Hierarchy in Hive
Server Database Table Partition Columns View Index Function/Routine Lock
Privilege | Object |
---|---|
INSERT | DB, TABLE |
SELECT | DB, TABLE, COLUMN |
ALL | SERVER, TABLE, DB, URI |
Base Object | Granular privileges on object | Container object that contains the base object | Privileges on container object that implies privileges on the base object |
---|---|---|---|
DATABASE | ALL | SERVER | ALL |
TABLE | INSERT | DATABASE | ALL |
TABLE | SELECT | DATABASE | ALL |
COLUMN | SELECT | DATABASE | ALL |
VIEW | SELECT | DATABASE | ALL |
Operation | Scope | Privileges Required | URI |
---|---|---|---|
CREATE DATABASE | SERVER | ALL | |
DROP DATABASE | DATABASE | ALL | |
CREATE TABLE | DATABASE | ALL | |
DROP TABLE | TABLE | ALL | |
CREATE VIEW
-This operation is allowed if you have column-level SELECT access to the columns being used. |
DATABASE; SELECT on TABLE; | ALL | |
ALTER VIEW
-This operation is allowed if you have column-level SELECT access to the columns being used. |
VIEW/TABLE | ALL | |
DROP VIEW | VIEW/TABLE | ALL | |
ALTER TABLE .. ADD COLUMNS | TABLE | ALL on DATABASE | |
ALTER TABLE .. REPLACE COLUMNS | TABLE | ALL on DATABASE | |
ALTER TABLE .. CHANGE column | TABLE | ALL on DATABASE | |
ALTER TABLE .. RENAME | TABLE | ALL on DATABASE | |
ALTER TABLE .. SET TBLPROPERTIES | TABLE | ALL on DATABASE | |
ALTER TABLE .. SET FILEFORMAT | TABLE | ALL on DATABASE | |
ALTER TABLE .. SET LOCATION | TABLE | ALL on DATABASE | URI |
ALTER TABLE .. ADD PARTITION | TABLE | ALL on DATABASE | |
ALTER TABLE .. ADD PARTITION location | TABLE | ALL on DATABASE | URI |
ALTER TABLE .. DROP PARTITION | TABLE | ALL on DATABASE | |
ALTER TABLE .. PARTITION SET FILEFORMAT | TABLE | ALL on DATABASE | |
SHOW CREATE TABLE | TABLE | SELECT/INSERT | |
SHOW PARTITIONS | TABLE | SELECT/INSERT | |
SHOW TABLES
-Output includes all the tables for which the user has table-level privileges and all the tables for which the user has some column-level privileges. |
TABLE | SELECT/INSERT | |
SHOW GRANT ROLE
-Output includes an additional field for any column-level privileges. |
TABLE | SELECT/INSERT | |
DESCRIBE TABLE
-Output shows all columns if the user has table level-privileges or SELECT privilege on at least one table column |
TABLE | SELECT/INSERT | |
LOAD DATA | TABLE | INSERT | URI |
SELECT
-You can grant the SELECT privilege on a view to give users access to specific columns of a table they do not otherwise have access to. -See Column-level Authorization for details on allowed column-level operations. |
VIEW/TABLE; COLUMN | SELECT | |
INSERT OVERWRITE TABLE | TABLE | INSERT | |
CREATE TABLE .. AS SELECT
-This operation is allowed if you have column-level SELECT access to the columns being used. |
DATABASE; SELECT on TABLE | ALL | |
USE <dbName> | Any | ||
CREATE FUNCTION | SERVER | ALL | |
ALTER TABLE .. SET SERDEPROPERTIES | TABLE | ALL on DATABASE | |
ALTER TABLE .. PARTITION SET SERDEPROPERTIES | TABLE | ALL on DATABASE | |
Hive-Only Operations | |||
INSERT OVERWRITE DIRECTORY | TABLE | INSERT | URI |
Analyze TABLE | TABLE | SELECT + INSERT | |
IMPORT TABLE | DATABASE | ALL | URI |
EXPORT TABLE | TABLE | SELECT | URI |
ALTER TABLE TOUCH | TABLE | ALL on DATABASE | |
ALTER TABLE TOUCH PARTITION | TABLE | ALL on DATABASE | |
ALTER TABLE .. CLUSTERED BY SORTED BY | TABLE | ALL on DATABASE | |
ALTER TABLE .. ENABLE/DISABLE | TABLE | ALL on DATABASE | |
ALTER TABLE .. PARTITION ENABLE/DISABLE | TABLE | ALL on DATABASE | |
ALTER TABLE .. PARTITION.. RENAME TO PARTITION | TABLE | ALL on DATABASE | |
MSCK REPAIR TABLE | TABLE | ALL | |
ALTER DATABASE | DATABASE | ALL | |
DESCRIBE DATABASE | DATABASE | SELECT/INSERT | |
SHOW COLUMNS
-Output for this operation filters columns to which the user does not have explicit SELECT access |
TABLE | SELECT/INSERT | |
CREATE INDEX | TABLE | ALL | |
DROP INDEX | TABLE | ALL | |
SHOW INDEXES | TABLE | SELECT/INSERT | |
GRANT PRIVILEGE | Allowed only for Sentry admin users | ||
REVOKE PRIVILEGE | Allowed only for Sentry admin users | ||
SHOW GRANTS | Allowed only for Sentry admin users | ||
SHOW TBLPROPERTIES | TABLE | SELECT/INSERT | |
DESCRIBE TABLE .. PARTITION | TABLE | SELECT/INSERT | |
ADD JAR | Not Allowed | ||
ADD FILE | Not Allowed | ||
DFS | Not Allowed | ||
Impala-Only Operations | |||
EXPLAIN | TABLE; COLUMN | SELECT | |
INVALIDATE METADATA | SERVER | ALL | |
INVALIDATE METADATA <table name> | TABLE | SELECT/INSERT | |
REFRESH <table name> | TABLE | SELECT/INSERT | |
DROP FUNCTION | SERVER | ALL | |
COMPUTE STATS | TABLE | ALL |
Appendix: Authorization Privilege Model for Solr
The tables below refer to the request handlers defined in the generated solrconfig.xml.secure. If you are not using this configuration file, the below may not apply.
admin is a special collection in sentry used to represent administrative actions. A non-administrative request may only require privileges on the collection or config on which the request is being performed. This is called either collection1 or config1 in this appendix. An administrative request may require privileges on both the admin collection and collection1. This is denoted as admin, collection1 in the tables below.
Request Handler | Required Collection Privilege | Collections that Require Privilege |
---|---|---|
select | QUERY | collection1 |
query | QUERY | collection1 |
get | QUERY | collection1 |
browse | QUERY | collection1 |
tvrh | QUERY | collection1 |
clustering | QUERY | collection1 |
terms | QUERY | collection1 |
elevate | QUERY | collection1 |
analysis/field | QUERY | collection1 |
analysis/document | QUERY | collection1 |
update | UPDATE | collection1 |
update/json | UPDATE | collection1 |
update/csv | UPDATE | collection1 |
Collection Action | Required Collection Privilege | Collections that Require Privilege |
---|---|---|
create | UPDATE | admin, collection1 |
delete | UPDATE | admin, collection1 |
reload | UPDATE | admin, collection1 |
createAlias | UPDATE | admin, collection1
Note: collection1 here refers to the name of the alias, not the
underlying collection(s). For example, http://YOUR-HOST:8983/ solr/admin/collections?action= CREATEALIAS&name=collection1
&collections=underlyingCollection
|
deleteAlias | UPDATE | admin, collection1
Note: collection1 here refers to the name of the alias, not the
underlying collection(s). For example, http://YOUR-HOST:8983/ solr/admin/collections?action= DELETEALIAS&name=collection1
|
syncShard | UPDATE | admin, collection1 |
splitShard | UPDATE | admin, collection1 |
deleteShard | UPDATE | admin, collection1 |
Collection Action | Required Collection Privilege | Collections that Require Privilege |
---|---|---|
create | UPDATE | admin, collection1 |
rename | UPDATE | admin, collection1 |
load | UPDATE | admin, collection1 |
unload | UPDATE | admin, collection1 |
status | UPDATE | admin, collection1 |
persist | UPDATE | admin |
reload | UPDATE | admin, collection1 |
swap | UPDATE | admin, collection1 |
mergeIndexes | UPDATE | admin, collection1 |
split | UPDATE | admin, collection1 |
prepRecover | UPDATE | admin, collection1 |
requestRecover | UPDATE | admin, collection1 |
requestSyncShard | UPDATE | admin, collection1 |
requestApplyUpdates | UPDATE | admin, collection1 |
Request Handler | Required Collection Privilege | Collections that Require Privilege |
---|---|---|
LukeRequestHandler | QUERY | admin |
SystemInfoHandler | QUERY | admin |
SolrInfoMBeanHandler | QUERY | admin |
PluginInfoHandler | QUERY | admin |
ThreadDumpHandler | QUERY | admin |
PropertiesRequestHandler | QUERY | admin |
LogginHandler | QUERY, UPDATE (or *) | admin |
ShowFileRequestHandler | QUERY | admin |
Config Action | Required Collection Privilege | Collections that Require Privilege | Required Config Privilege | Configs that Require Privilege |
---|---|---|---|---|
CREATE | UPDATE | admin | * | config1 |
DELETE | UPDATE | admin | * | config1 |
<< Authorization With Apache Sentry | ©2016 Cloudera, Inc. All rights reserved | Installing and Upgrading the Sentry Service >> |
Terms and Conditions Privacy Policy |