Friday, 6 April 2018

Hadoop Security: Sentry Authorisation

Hive Authorization is managed via beeline shell.

Become hive principal using hive server keytab
• Login on server where hiveserver2 is running
Start beeline
Execute

Example of JDBC connection URL:
------------
Syntax:
---------
!connect
jdbc:hive2://<hostname-hive-server2>:10000/default;principal=<hive-server2-principle-name>;saslQop=auth-conf

Example
!connect
jdbc:hive2://lcd218.brv.llkz:10000/default;principal=hive/lcd218.brv.llkz@MANOJ.ROOTDOM.NET;saslQop=auth-conf



               "show roles;" will show available Sentry roles.
               "show grant role <rolename>" will show grants for the role
                     
The mapping of Sentry privileges is as follows:

SELECT privilege -> Read access 
INSERT privilege -> Write access 
ALL privilege -> Read and Write

Scenario:  

Customer want to create a new role “crashdata_viewer” and assign that new role to database “abd_crashdata” with read access. The following groups need to be assigned to the specified role:

az_mx_access_us
azspaactuaries
globalpc

Steps for implementation:

Run the below commands from beeline shell:

Create role crashdata_viewer

> create role crashdata_viewer;

Assign role to DB abd_crashdata with read access.

> grant select on database abd_crashdata to role crashdata_viewer

Assign groups to the role crashdata_viewer

> grant role crashdata_viewer to group az_mx_access_us;
> grant role crashdata_viewer to group azspaactuaries;
> grant role crashdata_viewer to group globalpc;

Post implementation checks:

Check the permissions granted for the role crashdata_viewer.

> show grant role crashdata_viewer; 









Check the roles assigned to a particular group:

> show role grant group az_mx_access_us;

Reference: 

https://www.cloudera.com/documentation/enterprise/5-5-x/topics/sg_hive_sql.html








No comments:

Post a comment

Note: only a member of this blog may post a comment.