Configuring Apache Sentry Authorization with Arcadia

All of the Sentry configuration for Arcadia is done via Cloudera Manager within the Arcadia, Sentry and Hive service configuration pages:

Arcadia Configuration:

  1. Ensure Kerberos is already set up and enabled on the cluster and that an “arcadia” principal has been create.

  1. Add Sentry service in Arcadia (if its not selected already)

  1. Set Sentry to persist roles in Arcadia

  1. Add the Sentry server name short name (this is “server1” by default usually).

To be sure, you also check the Hive configuration for the exact Sentry server short name.

  1. Check the Proxy Group and User Configuration settings for Arcadia. The default settings here should work in most cases, unless you have some special users or groups you want to enable delegation with.

Sentry Configuration:

  1. Add “arcadia” as an Allowed Connecting User

This is required due to Kerberos and allowing Arcadia service to connect to Sentry. Allowed Connecting Users says the “arcadia” principal can connect to the RPC interface.

  1. (OPTIONAL) Add “arcadia” user to one of the admin groups in this list (from within Sentry)

This is not a requirement. This is really needed if we want arcadia service user to be able to perform operations like granting new users access. In most cases probably not needed and can be skipped.

Even if arcadia or any other user is added to Sentry Admin list, it will be able to create policies in Sentry but not be allowed to read/write any tables. Those privileges have to be granted.

Hive Configuration:

  1. Add “arcadia” to User Bypass list.

The bypass setting tells the sentry callback embedded in the hive metastore to bypass requests from this user because the check happened already. This is also required for things like Kudu table access, creating Analytical Views (AVs), or any sort of table creation from Arcadia.

In all cases, impala/hive/arcadia service users are not supposed to have any privileges associated with them. For example, if you beeline as impala you shouldn’t see any databases or tables. This is a reinforcement of the a security model where the admin shouldn’t be allowed to see data.

Final Step - Restart Hive, Sentry, and Arcadia services:

After updating each of these service configurations, you’ll need to restart each of them for the changes to take effect.

1 Like