Configure Hive to use Sentry Authorization

Configure Hive to use Sentry when you want to use Sentry authorization with Impala.

1. For Sentry 1.6.0 and Hive 1.2, add the following properties to hive-site.xml:

   <property>
       <name>hive.server2.session.hook</name>    
       <value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value>
   </property>
   <property>
       <name>hive.sentry.conf.url</name>
       <value>file:///opt/mapr/sentry/sentry-<version>/conf/sentry-site.xml</value>
       <description>sentry-site.xml file location</description>
   </property>
   <property>
       <name>hive.metastore.rawstore.impl</name>    
       <value>org.apache.sentry.binding.metastore.AuthorizingObjectStore</value>
   </property>
   <property>
       <name>hive.metastore.filter.hook</name>
       <value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value>
   </property>
   <property>
       <name>hive.server2.enable.doAs</name>
       <value>false</value>
       <description>Set this property to enable impersonation in Hive Server 2</description>
   </property>
   <property>
       <name>hive.metastore.execute.setugi</name>
       <value>true</value>
   </property>
   <property>
       <name>hive.sentry.subject.name</name>
       <value>mapr</value>
   </property>
   <property>
       <name>hive.stats.collect.scancols</name>
       <value>true</value>
       <description>Property for use column level privileges in Hive and Sentry Integration</description>
   </property>
                       

   Note: The hive.metastore.rawstore.impl property is optional, but is recommended for metadata read protection.
2. If Sentry uses the database storage model for rules, add the following properties to hive-site.xml:

   <property>    
       <name>hive.support.concurrency</name>
       <description>Enable Hive's Table Lock Manager Service</description>
       <value>true</value>
   </property>
   <property>
       <name>hive.zookeeper.quorum</name>
       <description>ZooKeeper quorum used by Hive's Table Lock Manager</description>
       <value>hostname</value>
   </property>
   <property>
       <name>hive.zookeeper.client.port</name>
       <description>The port where the clients connect</description>
       <value>5181</value>
   </property>
   <property>
       <name>hive.security.authorization.task.factory</name>
       <value>org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl</value>
   </property>
   <property>
       <name>hive.metastore.rawstore.impl</name>
       <value>org.apache.sentry.binding.metastore.AuthorizingObjectStore</value>
   </property>                     
   <property>
       <name>hive.metastore.pre.event.listeners</name>
       <value>org.apache.sentry.binding.metastore.MetastoreAuthzBinding</value>
       <description>list of comma separated listeners for metastore events.</description>
   </property>
                       

3. To configure Sentry with Hive 2.1 or later, add the following properties to HIVE_HOME/conf/hive-site.xml:

   <property>
       <name>hive.server2.session.hook</name>
       <value>org.apache.sentry.binding.hive.v2.HiveAuthzBindingSessionHookV2</value>
   </property>
   <property>
       <name>hive.sentry.subject.name</name>
       <value>mapr</value>
       <description>sentry-site.xml file location</description>
   </property>
   <property>    
       <name>hive.sentry.conf.url</name>    
       <value>file:///opt/mapr/sentry/sentry-1.7.0/conf/sentry-site.xml</value>
       <description>sentry-site.xml file location</description>
   </property>
   <property>
       <name>hive.security.authorization.task.factory</name>
       <value>org.apache.sentry.binding.hive.v2.SentryHiveAuthorizationTaskFactoryImplV2</value>
   </property>
   <property>
       <name>hive.metastore.rawstore.impl</name>
       <value>org.apache.sentry.binding.hive.v2.metastore.AuthorizingObjectStoreV2</value>
   </property>
   <property>
       <name>hive.metastore.filter.hook</name>
       <value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value>
   </property>
   <property>
       <name>hive.server2.enable.doAs</name>
       <value>false</value>    
       <description>Set this property to enable impersonation in Hive Server 2</description>
   </property>
   <property>    
       <name>hive.metastore.execute.setugi</name>
       <value>true</value>
   </property>                  
   <property>
       <name>hive.internal.ss.authz.settings.applied.marker</name>
       <value>true</value>
   </property>                     
   <property>
       <name>hive.security.authorization.manager</name>
       <value>org.apache.sentry.binding.hive.v2.SentryAuthorizerFactory</value>
   </property>
   <property>
       <name>hive.security.authenticator.manager</name>
       <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
   </property>                       
   <property>
       <name>hive.security.authorization.enabled</name>
       <value>true</value>
   </property>
   <property>
       <name>hive.metastore.pre.event.listeners</name>  
       <value>org.apache.sentry.binding.hive.v2.metastore.MetastoreAuthzBindingV2</value>  
       <description>list of comma separated listeners for metastore events.</description>
   </property>
   <property>
   <name>hive.metastore.event.listeners</name>  
       <value>org.apache.sentry.binding.hive.v2.metastore.SentryMetastorePostEventListenerV2</value>  
       <description>list of comma separated listeners for metastore, post events.</description>
   </property>
   <property>
       <name>hive.zookeeper.client.port</name>
       <value>5181</value>
       <description>The Zookeeper client port. The MapR default clientPort is 5181.</description>
   </property>
   <property>
       <name>hive.zookeeper.quorum</name>
       <description>Zookeeper quorum used by Hive's Table Lock Manager</description>
       <value><!--host with Zookeper--></value>
   </property>
                       

4. Restart HiveServer2 and the Hive Metastore:

   sudo -u mapr maprcli node services -name hs2 -action restart -nodes <nodename>
   sudo -u mapr maprcli node services -name hivemeta -action restart -nodes <nodename>

5. If Sentry was configured to use the database storage model, issue the following command to restart Sentry:

   sudo -u mapr maprcli node services -name sentry -action restart -nodes <nodename>

6. Create the admin role.
   • For the database storage model, run the following commands from the Hive beeline to create the admin role for the mapr user:

     >create role admin_role;
     >grant all on server HS2 to role admin_role;
     >grant role admin_role to group mapr;
                             

   • For the file-based model, update the The global-policy.ini File in /opt/mapr/sentry/sentry-<version>/conf. For example:

     [groups]
     mapr = admin_role
     testuser = test_role
     [roles]
     admin_role = server=HS2
     test_role = server=HS2->db=test_db1->table=test_table->action=all

     Note: If you include a non-existent mapping or path to a JAR file that represents a UDF (user-defined function) in any section of the global-policy.ini file, Sentry silently fails and cannot control access to Hive. For example, if you include a mapping to a role that does not exist in the [groups] section, Sentry fails. For more information, see Getting Started with Sentry in Hive.