As of Sentry 1.6, the database storage model is the preferred method for storing
privileges and roles. When you configure Sentry to use the database storage model, it also
includes a service that is managed by Warden.
The following databases can be used to store privileges and roles: MySQL, Oracle,
Postgres, DB2 and Derby. Examples in the following procedure use MySQL as the database
type.
Note: When you install Sentry with the Installer
and you specify MySQL as the database for Sentry, the
Installer performs the following configurations.
-
Create a database for Sentry.
For example, run the following commands to create a MySQL database:
mysql> create database sentry_store;
mysql> use sentry_store;
mysql> create user 'sentry'@'<hostname>' identified by 'sentry';
mysql> grant all on *.* to 'sentry'@'<hostname>' identified by 'sentry';
mysql> flush privileges;
-
In
/opt/mapr/sentry/sentry-<version>/conf/sentry-site.xml,
update the value of the following property:
| Property |
Configuration |
| sentry.hive.provider.backend |
Set the value to
org.apache.sentry.provider.db.SimpleDBProviderBackend
|
For example:
<property>
<name>sentry.hive.provider.backend</name>
<value>org.apache.sentry.provider.db.SimpleDBProviderBackend</value>
<description> Options: {org.apache.sentry.provider.db.SimpleDBProviderBackend, org.apache.sentry.provider.file.SimpleFileProviderBackend}Privilege provider to be used, we support file based or db based</description>
</property>
-
In the
sentry-site.xml file
(/opt/mapr/sentry/sentry-<version>/conf/sentry-site.xml),
add the following properties:
| Property |
Configuration |
| sentry.store.jdbc.url |
Set the value to the JDBC connection URL. |
| sentry.store.jdbc.driver |
Set the value to the Backend JDBC driver. |
| sentry.store.jdbc.user |
Set the value to the JDBC user name. |
| sentry.store.jdbc.password |
Set the value to the JDBC password. |
For example:
<property>
<name>sentry.store.jdbc.url</name>
<value>jdbc:mysql://localhost/sentry_store</value>
</property>
<property>
<name>sentry.store.jdbc.driver</name>
<value>com.mysql.jdbc.Driver</value>
</property>
<property>
<name>sentry.store.jdbc.user</name>
<value>sentry</value>
</property>
<property>
<name>sentry.store.jdbc.password</name>
<value>sentry</value>
</property>
-
Initialize the database schema.
/opt/mapr/sentry/sentry-<version>/bin/sentry --command schema-tool --conffile /opt/mapr/sentry/sentry-<version>/conf/sentry-site.xml --dbType mysql --initSchema
-
To add Sentry to the list of services that Warden monitors, copy
/opt/mapr/sentry/sentry-<version>/conf.d/warden.sentry.conf
to /opt/mapr/conf/conf.d.
Troubleshooting
While communicating with Sentry configured in DB mode (based on some versions of
MariaDB) through Hive or Impala, you might get an
exception:
Specified key was too long; max key length is 3072 bytes
java.sql.SQLSyntaxErrorException: Specified key was too long; max key length is 3072 bytes
This can happen if you install MariaDB version 10.3.17-1.module_el8.1, which is
included by default with CentOS 8.1.
HPE recommends upgrading the MariaDB version to 10.4.14 or later and restarting the
Sentry service.
You might also get an exception with MySQL versions 5.7.31-0ubuntu0.16.04.1 or
8.0.21-1.el6.x86_64 or other versions of MySQL.
For MySQL, HPE recommends manually altering the SENTRY_DB_PRIVILEGE table to reduce
the total size of the unique key to a max value of 383:
mysql> use <sentry_store_db>
mysql> ALTER TABLE SENTRY_DB_PRIVILEGE MODIFY URI VARCHAR(383);
Then restart MySQL, Sentry, and Hive services.