Hello World with Apache Sentry

-
Apache Sentry

Sentry is Apache project for role based authorization in hadoop. Sentry works pretty well with Apache Hive.In this blog we will talk about creating a policy in Sentry using Beeline(HiveServer2) shell.



Pre-requisite : I am having Cloudera VM with Sentry installed on it.

Hive authorization is done by creating policies in sentry.
Sentry policy can be created by Sentry Admins. We need to create sentry admin group and add that group into Sentry Admin list using cloudera manager(in sentry-site.xml). Lets create user sentryAdmin with group as sentryAdmin. Fire below command on linux.

useradd sentryAdmin

Now lets Add this group to sentry admin list.

Go to Cloudera Manager - Sentry - Configuration .
Select Sentry(Service-wide) from Scope and Main from cataegory.
Add sentryAdmin in Admins Groups(sentry.service.admin.group)
Restart Sentry service.



Its time to create a policy for user. Now lets say that I have a database in Hive and I want to give read permission to group employee1
.
Now I will create a policy for employee1 using sentryAdmin.

Sentry policy creation is a three step process.
  • Role Creation
  • Assign Role to Group
  • Assign Permission to Role
Lets follow below steps :

Create user employee1 and by default in linux it will be assigned to employee1 group.

useradd employee1

Login to Beeline using employee1

beeline
!connect jdbc:hive2://localhost:10000
username : employee1
password : <Keep it Blank>

Type show databases to make employee1 does not have permission to read anything at this moment.


Login to Beeline using sentryAdmin

beeline
!connect jdbc:hive2://localhost:10000
username : sentryAdmin
password : <Keep it Blank>

Create Role in sentry.

CREATE ROLE Role1;


Assign this role to groups for granting required privileges.

GRANT ROLE Role1 TO GROUP employee1;

Grant/REVOKE privileges to created Role on required objects (Database, Table, column etc.)


GRANT select ON database department TO ROLE Role1;

Now Re -login with employee1 and try show databases command in beeline. You should be able to see department database in output.


Happy Coding....!!!!!


Comments

Post a Comment

Popular posts from this blog

JDBC Hive Connection fails : Unable to read HiveServer2 uri from ZooKeeper

-
Image
I have been struggling from couple of days to get my jdbc hive connection working using Zookeeper URI and after putting lot of effort finally I realised problem. In this post I will sharing my experience  and steps I took to rectify problem. Notes : I am having a HDP 2.6 sandbox along with my JDBC program . Use case : Many companies does not provide HiveServer2 url for configuring your JDBC string and its important because if your hiveserver goes down  , your whole job will abort (You will be missing Hive HA capabilities). So How do I dynamically determine second Hive Server URI ? Solution is to use Zookeeper Service Discovery feature. Zookeepers keeps all HiveServer 2 URI into its namespace. When client tries to make a connection to Hive , Zookeeper will look for available hive server and return URL to client program. You can quickly verify HiveServer namespace in zk Path with below command on HDP.  /usr/hdp/current/zookeeper-client/bin/zookeeper-client   Once
Read more

Access Kubernetes ConfigMap in Spring Boot Application

-
Image
 Hello There, Welcome back to our new post on Kubernetes tutorials. In this example we will see how can we configure and access ConfigMap in Spring boot application. ConfigMaps are helpful where you have multiple environment (Dev,Test Prod etc) and you want to promote your container with different environment configuration. There are three ways Pods can access ConfigMap in containers. For todays Demo , we will use Environment Variable approach. Pre-requisite : MiniKube Cluster   For Demo Purpose I have created Spring Boot application which will expose below end point.  curl localhost:8080/configMap Docker Image : shashivish123/springboot  Below is how Controller class looks like and value is being autowired from application.properties. Remember CONFIG_KEY value will be coming from Kubernetes ConfigMap Environment Configuration. Now Let's Begin , We will start by Creating firs ConfigMap in Kubernetes. Step 1: Create a namespace where we will deploy container and
Read more

Developing Custom Processor in Apache Nifi

-
Image
Apache Nifi was developed to automate the flow of data between different systems. Apache NiFi is based on technology previously called “Niagara Files” that was in development and used at scale within the NSA for the last 8 years and was made available to the Apache Software Foundation through the NSA Technology Transfer Program. Nifi is based on FlowFiles which are heart of it. A FlowFile is a data record, which consists of a pointer to its content (payload) and attributes to support the content, that is associated with one or more provenance events. The attributes are key/value pairs that act as the metadata for the FlowFile, such as the FlowFile filename. The content is the actual data or the payload of the file. Provenance is a record of what’s happened to the FlowFile. Each one of these parts has its own repository (repo) for storage. Each flowfile is processed by FlowFile processor . Processors have access to attributes of a given FlowFile and its content stream. Processo
Read more