Friday 6 April 2018

Hadoop Security: Sentry Authorisation

Hive Authorization is managed via beeline shell.

Become hive principal using hive server keytab
• Login on server where hiveserver2 is running
Start beeline

Example of JDBC connection URL:


               "show roles;" will show available Sentry roles.
               "show grant role <rolename>" will show grants for the role
The mapping of Sentry privileges is as follows:

SELECT privilege -> Read access 
INSERT privilege -> Write access 
ALL privilege -> Read and Write


Customer want to create a new role “crashdata_viewer” and assign that new role to database “abd_crashdata” with read access. The following groups need to be assigned to the specified role:


Steps for implementation:

Run the below commands from beeline shell:

Create role crashdata_viewer

> create role crashdata_viewer;

Assign role to DB abd_crashdata with read access.

> grant select on database abd_crashdata to role crashdata_viewer

Assign groups to the role crashdata_viewer

> grant role crashdata_viewer to group az_mx_access_us;
> grant role crashdata_viewer to group azspaactuaries;
> grant role crashdata_viewer to group globalpc;

Post implementation checks:

Check the permissions granted for the role crashdata_viewer.

> show grant role crashdata_viewer; 

Check the roles assigned to a particular group:

> show role grant group az_mx_access_us;


No comments:

Post a Comment

Note: only a member of this blog may post a comment.