This is the documentation for Cloudera Manager 5.1.x.
Documentation for other versions is available at Cloudera Documentation.

The Sentry Service

The Sentry service is a RPC server that stores the authorization metadata in an underlying relational database and provides RPC interfaces to retrieve and manipulate privileges. It supports secure access to services using Kerberos. The service serves authorization metadata from the database backed storage; it does not handle actual privilege validation. The Hive and Impala services are clients of this service and will enforce Sentry privileges when configured to use Sentry.

For more details on the new privilege model and Grant/Revoke syntax to modify privileges, see Sentry Service Configuration.

Continue reading:

Prerequisites

Adding the Sentry Service

  1. On the Home page, click to the right of the cluster name and select Add a Service. A list of service types display. You can add one type of service at a time.
  2. Select the Sentry service and click Continue.
  3. Select the radio button next to the services on which the new service should depend and click Continue.
  4. Customize the assignment of role instances to hosts. The wizard evaluates the hardware configurations of the hosts to determine the best hosts for each role. These assignments are typically acceptable, but you can reassign role instances to hosts of your choosing, if desired.

    Click a field below a role to display a dialog containing a pageable list of hosts. If you click a field containing multiple hosts, you can also select All Hosts to assign the role to all hosts or Custom to display the pageable hosts dialog.

    The following shortcuts for specifying host names are supported:
    • Range of hostnames (without the domain portion)
      Range Definition Matching Hosts
      10.1.1.[1-4] 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4
      host[1-3].company.com host1.company.com, host2.company.com, host3.company.com
      host[07-10].company.com host07.company.com, host08.company.com, host09.company.com, host10.company.com
    • IP addresses
    • Rack name

    Click the View By Host button for an overview of the role assignment by host ranges.

  5. Configure database settings:
    1. Choose the database type:
      • Leave the default setting of Use Embedded Database to have Cloudera Manager create and configure required databases. Make a note of the auto-generated passwords.
      • Select Use Custom Databases to specify external databases.
        1. Enter the database host, database type, database name, username, and password for the database that you created when you set up the database.
    2. Click Test Connection to confirm that Cloudera Manager can communicate with the database using the information you have supplied. If the test succeeds in all cases, click Continue; otherwise check and correct the information you have provided for the database and then try the test again. (For some servers, if you are using the embedded database, you will see a message saying the database will be created at a later step in the installation process.) The Review Changes page displays.
  6. Click Continue to start the service.
  7. Click Continue then click Finish. You are returned to the Home page.
  8. Verify the new service is started properly by checking the health status for the new service. If the Health Status is Good, then the service started properly.
  9. To begin using the Sentry service, see Enabling the Sentry Service for Hive and Enabling the Sentry Service for Impala.
  10. Use the command-line interface Beeline to issue grants to the Sentry service to match the contents of your old policy file(s). For more details on the Sentry service and examples on using Grant/Revoke statements to match your policy file, see Sentry Service Configuration.

Migrating to the Sentry Service

The following steps describe how you can upgrade from Sentry's policy file-based approach to the new database-backed Sentry service.

  1. If you haven't already done so, upgrade your cluster to CDH 5.1.x and Cloudera Manager 5.1.x. Refer the Cloudera Manager Administration Guide for instructions.
  2. Disable the existing Sentry policy file for any Hive or Impala services on the cluster. To do this:
    1. Navigate to the Hive or Impala service.
    2. Click the Configuration tab.
    3. Under the Service-Wide > Policy File Based Sentry category, uncheck the Enable Sentry Authorization using Policy Files checkbox. Cloudera Manager will throw a validation error if you attempt to configure the Sentry service while this property is checked.
    4. Repeat for any remaining Hive or Impala services.
  3. Add the new Sentry service to your cluster. For instructions, see Adding the Sentry Service.
  4. To begin using the Sentry service, see Enabling the Sentry Service for Hive and Enabling the Sentry Service for Impala.
  5. Use the command-line interface Beeline to issue grants to the Sentry service to match the contents of your old policy file(s). For more details on the Sentry service and examples on using Grant/Revoke statements to match your policy file, see Sentry Service Configuration.

Enabling the Sentry Service for Hive

  Important: Ensure you have unchecked the Enable Sentry Authorization using Policy Files configuration property for both Hive and Impala under the Service-Wide > Policy File Based Sentry category.

Before you begin:

  • Ensure all the action items under Prerequisites are complete.
  • The Hive warehouse directory (/user/hive/warehouse or the path you have specified as hive.metastore.warehouse.dir in your Hive configuration) must be owned by the hive user and group.
  • Permissions on the Hive warehouse directory and all subdirectories must be 771. All files and directories should be owned by hive:hive. For example:
    $ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse
    $ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse
  • Disable impersonation for HiveServer2 in the Cloudera Manager Admin Console:
    1. Go to the Hive service.
    2. Click the Configuration tab.
    3. Under the HiveServer2 role group, uncheck the HiveServer2 Enable Impersonation property, and click Save Changes.
  • To enable the Hive user to submit MapReduce jobs, under TaskTracker role group(s) set the Minimum User ID for Job Submission to 0. You must do this for every TaskTracker role group for the MapReduce service that is associated with Hive, if more than one exists.
    1. Go to the MapReduce service.
    2. Click the Configuration tab.
    3. Under a TaskTracker role group go to the Security category.
    4. Set the Minimum User ID for Job Submission property to zero (the default is 1000) and click Save Changes.
    5. Restart the MapReduce service.
  • To enable the Hive user to submit YARN jobs, ensure the Allowed System Users property includes the hive user. You must do this for every NodeManager role group for the YARN service that is associated with Hive, if more than one exists.
    1. Go to the YARN service.
    2. Click the Configuration tab.
    3. Under a NodeManager role group go to the Security category.
    4. Ensure the Allowed System Users property includes the hive user. If not, add hive and click Save Changes.
    5. Restart the YARN service.

To enable the Sentry service for Hive:

  1. Go to the Hive service.
  2. Click the Configuration tab.
  3. In the Service-Wide category, set the Sentry Service property to Sentry.
  4. Restart the Hive service.

For instructions on enabling the Sentry service for Impala, see Enabling the Sentry Service for Impala.