| --- |
| layout: post |
| status: PUBLISHED |
| published: true |
| title: Apache Sentry architecture overview |
| id: 99664e95-be2c-4e1d-bcfc-68add2da74bd |
| date: '2014-07-21 21:25:40 -0400' |
| categories: sentry |
| tags: |
| - sentry |
| - architecture |
| permalink: sentry/entry/apache_sentry_architecture_overview |
| --- |
| <p class="c6 c2 c10 title" style="font-size: 21pt; margin: 0px; font-family: 'Trebuchet MS'; widows: 2; orphans: 2; direction: ltr; page-break-after: avoid; padding-top: 0pt; line-height: 1.15; padding-bottom: 0pt;">Apache Sentry architecture overview</p> |
| <p class="c3" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; height: 11pt; direction: ltr;"> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">Apache Sentry is an authorization module for Hadoop that provides the granular, role-based authorization required to provide precise levels of access to the right users and applications.</p> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">It currently works out of the box with Apache Hive/Hcatalog, Apache Solr and Cloudera Impala. In future this could be extended to many Hadoop ecosystem components like HDFS and HBase.</p> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">This document provides high level architecture of Apache Sentry and integration with hive.</p> |
| <p class="c3 c4" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; height: 11pt; direction: ltr; text-align: justify;"> |
| <h1 class="c0 c2" style="widows: 2; padding-top: 10pt; line-height: 1.15; orphans: 2; text-align: justify; font-size: 16pt; font-family: 'Trebuchet MS'; padding-bottom: 0pt; page-break-after: avoid; direction: ltr; letter-spacing: normal;"><a name="h.efkdtht3y7fs"></a>What is Apache Sentry</h1> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;"> While Hadoop has strong security at the filesystem level, it lacked the granular support needed to adequately secure access to data by users and BI applications. This problem forces users to make a choice: either leave data unprotected or lock out users entirely. Most of the time, the preferred choice is the latter, severely inhibiting access to data in Hadoop.</p> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">Sentry provides the ability to control and enforce access to data and/or privileges on data for authenticated users. It offers fine-grained access control to data and metadata in Hadoop. In its initial release for Hive and Impala, Sentry allows access control at the server, database, table, and view scopes at different privilege levels including select, insert, and all. The column level security can be implemented by creating a view of subset of allowed columns. One can restrict the base table and grant privileges on the view so that the columns with sensitive data doesn’t have to be exposed to the unauthorized users.</p> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">Sentry supports ease of administration through role-based authorization; you can easily grant multiple groups access to the same data at different privilege levels. For example, for a particular data set you may give your fraud detection team rights to view all columns, your analysts rights to view only non-sensitive or non-PII (personally identifiable information) columns, and your ingest processing pipeline rights to insert new data into HDFS.</p> |
| <p class="c3" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; height: 11pt; direction: ltr;"> |
| <h2 class="c6 c2" style="widows: 2; padding-top: 10pt; line-height: 1.15; orphans: 2; font-size: 13pt; font-family: 'Trebuchet MS'; padding-bottom: 0pt; page-break-after: avoid; direction: ltr; letter-spacing: normal;"><a name="h.hjm2ik34g0dz"></a>How does Sentry work</h2> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">The goal of Apache Sentry is to address the authorization requirement. It’s a policy engine that can be used by a data processing tool to validate access. It’s highly extensible to support any arbitrary data model. Currently it support the relational data model for Apache Hive and Cloudera Impala, as well as hierarchical data model used by Apache Solr.</p> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">Sentry provides means of defining and persisting the policies for accessing resources. Currently the policies can be stored in flat files or DB backed storage that can be accessed using a RPC service. The data processing tool (eg Hive) identifies the user request to access a piece of data in certain mode, eg read a data row from a table or drop a table. The tool then asks Sentry to validate this access. Sentry builds map of privileges allowed for the requesting user and then determines whether the given request should be allowed. The requesting tool then allows or prohibit the user access based on Sentry’s decision.</p> |
| <p class="c3 c4" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; height: 11pt; direction: ltr; text-align: justify;"> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">Following are the actors that play part in Sentry authorization</p> |
| <ul class="c26 lst-kix_z5ogh3uk0s0t-0 start" style="margin: 0px; padding: 0px; list-style-type: none; font-family: 'Times New Roman'; font-size: medium;"> |
| <li class="c0 c7" style="font-size: 11pt; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr; padding-left: 0pt; margin-left: 36pt;">Resource</li> |
| <li class="c0 c7" style="font-size: 11pt; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr; padding-left: 0pt; margin-left: 36pt;">Privileges</li> |
| <li class="c0 c7" style="font-size: 11pt; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr; padding-left: 0pt; margin-left: 36pt;">Roles</li> |
| <li class="c0 c7" style="font-size: 11pt; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr; padding-left: 0pt; margin-left: 36pt;">Users and Groups</li> |
| </ul> |
| <h3 class="c6 c2" style="widows: 2; padding-top: 8pt; line-height: 1.15; orphans: 2; color: #666666; font-size: 12pt; font-family: 'Trebuchet MS'; padding-bottom: 0pt; page-break-after: avoid; direction: ltr; letter-spacing: normal;"><a name="h.42remgb2jniz"></a>Resource</h3> |
| <p class="c6" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; direction: ltr;">A resource is an object that you want to regulate access to. In the relational model a resource can be Server, Database, Table or URI (ie HDFS or local path).</p> |
| <h3 class="c2 c6" style="widows: 2; padding-top: 8pt; line-height: 1.15; orphans: 2; color: #666666; font-size: 12pt; font-family: 'Trebuchet MS'; padding-bottom: 0pt; page-break-after: avoid; direction: ltr; letter-spacing: normal;"><a name="h.olj6qv767wo3"></a>Privileges</h3> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">By default Sentry does not allow access to any resource unless explicitly granted. A privilege is essentially a rule that grant access to a resource. It spells out how a given resource is allowed to be accessed. For example, a table called customer_info from a database called sales is allowed to access in read mode.</p> |
| <h3 class="c0 c2" style="widows: 2; padding-top: 8pt; line-height: 1.15; orphans: 2; text-align: justify; color: #666666; font-size: 12pt; font-family: 'Trebuchet MS'; padding-bottom: 0pt; page-break-after: avoid; direction: ltr; letter-spacing: normal;"><a name="h.1syuldmopot2"></a>Roles</h3> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">Role is a collection of privileges. This is template to combine multiple privileges required for a logical role in the data processing. For example, a data analyst in your organisation requires read and write access to sales table, read access to customer table and full access to sandbox database. The notion of roles allow one to club all these rules under a single template which can be assigned to an analyst in one shot. Moreover this allows you to maintain the analyst permissions in future. For example, if analysts need change access to customer table from read mode to write mode, you can simply make that one change in the analyst role which will reflect for all analyst.</p> |
| <h3 class="c0 c2" style="widows: 2; padding-top: 8pt; line-height: 1.15; orphans: 2; text-align: justify; color: #666666; font-size: 12pt; font-family: 'Trebuchet MS'; padding-bottom: 0pt; page-break-after: avoid; direction: ltr; letter-spacing: normal;"><a name="h.qluklmo8io7g"></a>Groups</h3> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">A group is a collection of users. Sentry group mapping is extensible. By default Sentry leverages Hadoop’s group mapping (which in turn can be OS groups or LDAP groups). Sentry allows you to associate roles to groups. The notion of groups further simplifies the administration. You can combine a number of users into a single group. For example, Bob, John and Kim are analyst in your organisation. You can put all of them into a single group called analyst. Then you can grant the analyst role (discussed in previous section) to this group analyst. This saves the trouble of assigning the roles to each users. If Bob moves out of analyst role, you can simply remove him from analyst group to restrict this access as analyst. Also if John takes an additional role of a manager, then you can simply add him to manager role to grant him all managerial access to.</p> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">Note that Sentry only supports this template based policy granting. You can’t grant a privilege directly to a user or group. You are required to combine privileges under roles and a role can only be granted to a group, not directly to a user.</p> |
| <p class="c3 c4" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; height: 11pt; direction: ltr; text-align: justify;"> |
| <h1 class="c0 c2" style="widows: 2; padding-top: 10pt; line-height: 1.15; orphans: 2; text-align: justify; font-size: 16pt; font-family: 'Trebuchet MS'; padding-bottom: 0pt; page-break-after: avoid; direction: ltr; letter-spacing: normal;"><a name="h.rp0jl7f8a5qk"></a>Sentry architecture</h1> |
| <p> <img src="https://blogs.apache.org/sentry/mediaresource/c07e8094-e79a-4c97-aa9e-cbb2b18fe9b2" /></p> |
| <p class="c3" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; height: 11pt; direction: ltr;"> |
| <p class="c6" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; direction: ltr;"><span style="font-family: arial, verdana, 'Bitstream Vera Sans', helvetica, sans-serif; font-size: 16px; font-weight: bold; letter-spacing: -0.018em; line-height: 1.15;">Bindings</span></p> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;"> As mentioned before, Sentry policy engine is a plugin invoked by downstream tool like Hive. The binding module is the bridge between the invoking tool and Sentry authorization. This layer takes the authorization request in the requestors native format and converts that into a auth request that can be handled by Sentry policy engine. For example consider consider following hive query,</p> |
| <p><a href="file:///C:/Users/prasadm/AppData/Local/Temp/Temp1_SentryOverviewforcontributors%20(1).zip/SentryOverviewforcontributors.html#" name="de1763485404cfddfd3920c14a977d4e6a8dd5a7" style="font-family: 'Times New Roman'; font-size: medium;"></a><a href="file:///C:/Users/prasadm/AppData/Local/Temp/Temp1_SentryOverviewforcontributors%20(1).zip/SentryOverviewforcontributors.html#" name="0" style="font-family: 'Times New Roman'; font-size: medium;"></a> </p> |
| <table cellpadding="0" cellspacing="0" class="c17" style="margin-right: auto; border-collapse: collapse; font-family: 'Times New Roman';"> |
| <tbody> |
| <tr class="c20" style="height: 0pt;"> |
| <td class="c12" style="border: 1pt solid #000000; width: 468pt; padding: 5pt; vertical-align: top; background-color: #fce5cd;"> |
| <p class="c0 c25" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr; line-height: 1.15; padding-top: 0pt; padding-bottom: 0pt;"><span class="c13" style="font-family: 'Courier New';">INSERT INTO TABLE </span><span class="c14 c13 c16" style="font-style: italic; font-family: 'Courier New'; color: #cc0000;">report_db.monthly_sales</span><span class="c13 c18" style="vertical-align: baseline; color: #00ff00; font-size: 11pt; font-family: 'Courier New';"> </span></p> |
| <p class="c15 c0" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1.15; padding-top: 0pt; text-indent: 36pt; padding-bottom: 0pt; widows: 2; orphans: 2; text-align: justify; direction: ltr;"><span class="c1" style="vertical-align: baseline; font-size: 11pt; font-family: 'Courier New';">SELECT customer_name, transaction_date, amount FROM </span></p> |
| <p class="c15 c0" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1.15; padding-top: 0pt; text-indent: 36pt; padding-bottom: 0pt; widows: 2; orphans: 2; text-align: justify; direction: ltr;"><span class="c8" style="color: #0000ff; font-style: italic; font-family: 'Courier New';">prod_db.customer</span><span class="c13" style="font-family: 'Courier New';"> JOIN </span><span class="c8" style="color: #0000ff; font-style: italic; font-family: 'Courier New';">prod_db.transaction</span></p> |
| <p class="c0 c15" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1.15; padding-top: 0pt; text-indent: 36pt; padding-bottom: 0pt; widows: 2; orphans: 2; text-align: justify; direction: ltr;"><span class="c13" style="font-family: 'Courier New';">ON (customer.id = transaction.cid)</span></p> |
| </td> |
| </tr> |
| </tbody> |
| </table> |
| <p class="c3 c4" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; height: 11pt; direction: ltr; text-align: justify;"> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">This query needs write access to table <span class="c14" style="font-style: italic;">montly_sales</span> from database <span class="c14" style="font-style: italic;">report_db</span>, read access on tables <span class="c14" style="font-style: italic;">customer</span> and <span class="c14" style="font-style: italic;">transaction</span> from <span class="c14" style="font-style: italic;">prod_db</span>. It’s the responsibility of the binding layer to extract this information from Hive’s compiler structure and pass it down to the policy engine.</p> |
| <p class="c3 c4" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; height: 11pt; direction: ltr; text-align: justify;"> |
| <h2 class="c0 c2" style="widows: 2; padding-top: 10pt; line-height: 1.15; orphans: 2; text-align: justify; font-size: 13pt; font-family: 'Trebuchet MS'; padding-bottom: 0pt; page-break-after: avoid; direction: ltr; letter-spacing: normal;"><a name="h.2lcpe32jkixf"></a>Policy Engine</h2> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">This is the core of Sentry’s authorization. The policy engine gets the requested privileges from the binding layer and the required privileges from the provider layer. It looks at the requested and required privileges and makes the decision whether the action should be allowed.</p> |
| <h2 class="c0 c2" style="widows: 2; padding-top: 10pt; line-height: 1.15; orphans: 2; text-align: justify; font-size: 13pt; font-family: 'Trebuchet MS'; padding-bottom: 0pt; page-break-after: avoid; direction: ltr; letter-spacing: normal;"><a name="h.ojh2m7esmu9j"></a>Policy provider</h2> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">The provider is an abstraction for making the authorization metadata available for the policy engine. This allows the metadata to be pulled out of the underlying repository independent of the way that metadata is stored.</p> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">Currently Sentry support file based storage and DB based storage out of the box.</p> |
| <h2 class="c0 c2" style="widows: 2; padding-top: 10pt; line-height: 1.15; orphans: 2; text-align: justify; font-size: 13pt; font-family: 'Trebuchet MS'; padding-bottom: 0pt; page-break-after: avoid; direction: ltr; letter-spacing: normal;"><a name="h.hqv9ttwp45o8"></a>File based provider</h2> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">The File based provider stores metadata in a ini format file. The file can reside on a local file system or HDFS. The policy file contains a group section that contains group to role mapping. The roles section contains role to privilege mapping. Here an example of a policy file</p> |
| <p><a href="file:///C:/Users/prasadm/AppData/Local/Temp/Temp1_SentryOverviewforcontributors%20(1).zip/SentryOverviewforcontributors.html#" name="db9292e4cb6eff005271db4f80374d2e5661e0c8" style="font-family: 'Times New Roman'; font-size: medium;"></a><a href="file:///C:/Users/prasadm/AppData/Local/Temp/Temp1_SentryOverviewforcontributors%20(1).zip/SentryOverviewforcontributors.html#" name="1" style="font-family: 'Times New Roman'; font-size: medium;"></a> </p> |
| <table cellpadding="0" cellspacing="0" class="c17" style="margin-right: auto; border-collapse: collapse; font-family: 'Times New Roman';"> |
| <tbody> |
| <tr class="c20" style="height: 0pt;"> |
| <td class="c23" style="border: 1pt solid #000000; width: 468pt; padding: 5pt; vertical-align: top; background-color: #d9d9d9;"> |
| <p class="c9 c6" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1; padding-top: 0pt; padding-bottom: 0pt; widows: 2; orphans: 2; direction: ltr;"><span class="c1" style="vertical-align: baseline; font-size: 11pt; font-family: 'Courier New';">[groups]</span></p> |
| <p class="c9 c6" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1; padding-top: 0pt; padding-bottom: 0pt; widows: 2; orphans: 2; direction: ltr;"><span class="c1" style="vertical-align: baseline; font-size: 11pt; font-family: 'Courier New';"># Assigns each Hadoop group to its set of roles</span></p> |
| <p class="c9 c6" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1; padding-top: 0pt; padding-bottom: 0pt; widows: 2; orphans: 2; direction: ltr;"><span class="c1" style="vertical-align: baseline; font-size: 11pt; font-family: 'Courier New';">manager = analyst_role, junior_analyst_role</span></p> |
| <p class="c9 c6" style="font-size: 11pt;"> margin: 0px; font-family: Arial; line-height: 1; padding-top: 0pt; padding-bottom: 0pt; widows: 2; orphans: 2; direction: ltr;"><span class="c1" style="vertical-align: baseline; font-size: 11pt; font-family: 'Courier New';">analyst = analyst_role</span></p> |
| <p class="c9 c6" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1; padding-top: 0pt; padding-bottom: 0pt; widows: 2; orphans: 2; direction: ltr;"><span class="c1" style="vertical-align: baseline; font-size: 11pt; font-family: 'Courier New';">admin = admin_role</span></p> |
| <p class="c9 c3" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1; padding-top: 0pt; padding-bottom: 0pt; widows: 2; orphans: 2; height: 11pt; direction: ltr;"><span class="c1" style="vertical-align: baseline; font-size: 11pt; font-family: 'Courier New';"></span></p> |
| <p class="c6 c9" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1; padding-top: 0pt; padding-bottom: 0pt; widows: 2; orphans: 2; direction: ltr;"><span class="c1" style="vertical-align: baseline; font-size: 11pt; font-family: 'Courier New';">[roles]</span></p> |
| <p class="c9 c6" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1; padding-top: 0pt; padding-bottom: 0pt; widows: 2; orphans: 2; direction: ltr;"><span class="c1" style="vertical-align: baseline; font-size: 11pt; font-family: 'Courier New';">analyst_role = server=server1->db=analyst1, \</span></p> |
| <p class="c9 c6" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1; padding-top: 0pt; padding-bottom: 0pt; widows: 2; orphans: 2; direction: ltr;"><span class="c1" style="vertical-align: baseline; font-size: 11pt; font-family: 'Courier New';"> server=server1->db=jranalyst1->table=*->action=select, \</span></p> |
| <p class="c9 c6" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1; padding-top: 0pt; padding-bottom: 0pt; widows: 2; orphans: 2; direction: ltr;"><span class="c1" style="vertical-align: baseline; font-size: 11pt; font-family: 'Courier New';"> server=server1->uri=hdfs://ha-nn-uri/landing/analyst1, \</span></p> |
| <p class="c9 c6" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1; padding-top: 0pt; padding-bottom: 0pt; widows: 2; orphans: 2; direction: ltr;"><span class="c1" style="vertical-align: baseline; font-size: 11pt; font-family: 'Courier New';"> server=server1->db=default->table=tab2</span></p> |
| <p class="c9 c6" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1; padding-top: 0pt; padding-bottom: 0pt; widows: 2; orphans: 2; direction: ltr;"><span class="c1" style="vertical-align: baseline; font-size: 11pt; font-family: 'Courier New';"># Implies everything on server1.</span></p> |
| <p class="c9 c6" style="font-size: 11pt; margin: 0px; font-family: Arial; line-height: 1; padding-top: 0pt; padding-bottom: 0pt; widows: 2; orphans: 2; direction: ltr;"><span class="c1" style="vertical-align: baseline; font-size: 11pt; font-family: 'Courier New';">admin_role = server=server1</span></p> |
| </td> |
| </tr> |
| </tbody> |
| </table> |
| <p class="c3" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; height: 11pt; direction: ltr;"> |
| <h2 class="c6 c2" style="widows: 2; padding-top: 10pt; line-height: 1.15; orphans: 2; font-size: 13pt; font-family: 'Trebuchet MS'; padding-bottom: 0pt; page-break-after: avoid; direction: ltr; letter-spacing: normal;"><a name="h.z7uctiip0rfe"></a>DB based provider</h2> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">The file provider makes it hard to modify programmatically, has race conditions when modifying, and is tedious to maintain. The products like Hive and Impala need to support industry standard SQL interface to administer the authorization policies which requires a programmatic way to manage it.</p> |
| <p class="c6" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; direction: ltr;">The Sentry policy store and Sentry Service persist the role to privilege and group to role mappings in an RDBMS and provide programmatic APIs to create, query, update and delete it. This enables various Sentry clients to retrieve and modify the privileges concurrently and securely.</p> |
| <p><img src="https://blogs.apache.org/sentry/mediaresource/d9cc7fbc-dbf0-4dcb-a065-3f4d95878c00" /> </p> |
| <p class="c3" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; height: 11pt; direction: ltr;"><span style="font-size: 11pt; text-align: justify;">Sentry Policy Store works with a number of back-end databases (MySQL, Postgres etc). It uses ORM library DataNucleus to read and write to the database.</span></p> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">Sentry Service supports Kerberos authentication. Other authentication mechanisms can be added subsequently, if needed. You can further restrict the connection by specifying a list of users that are allowed to connect to service.</p> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">Currently Sentry service supports trusted authorization. The users are that connect to the service are essentially super users (eg. hive or Impala). The connecting user can specify the effective user for the each RPC request. The admin users that are allowed to execute a request is configurable. For example, service user hive connect to Sentry store and submit a create role request on behalf of user Bob. If Bob is not configured as an admin user, this request will be rejected.</p> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">The current RPC interface supported by Sentry service is available at<span class="c21" style="color: #1155cc; text-decoration: underline;"><a class="c11" href="https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fapache%2Fincubator-sentry%2Fblob%2Fmaster%2Fsentry-provider%2Fsentry-provider-db%2Fsrc%2Fmain%2Fresources%2Fsentry_policy_service.thrift&sa=D&sntz=1&usg=AFQjCNEnwL4qX5axZY94hAfevvUVUugGBw" style="color: inherit; text-decoration: inherit;">https://github.com/apache/incubator-sentry/blob/master/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift</a></span></p> |
| <p class="c3" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; height: 11pt; direction: ltr;"> |
| <p class="c3" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; height: 11pt; direction: ltr;"> |
| <h2 class="c6 c2" style="widows: 2; padding-top: 10pt; line-height: 1.15; orphans: 2; font-size: 13pt; font-family: 'Trebuchet MS'; padding-bottom: 0pt; page-break-after: avoid; direction: ltr; letter-spacing: normal;"><a name="h.fpe89xc43ext"></a>Sentry Hive integration</h2> |
| <h3 class="c6 c2" style="widows: 2; padding-top: 8pt; line-height: 1.15; orphans: 2; color: #666666; font-size: 12pt; font-family: 'Trebuchet MS'; padding-bottom: 0pt; page-break-after: avoid; direction: ltr; letter-spacing: normal;"><a name="h.ozo5a34ahd7o"></a>Query authorization</h3> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">Sentry policy engine is plugged into Hive via semantic hook. HiveServer2 executes this hook after the query is successfully compiled.</p> |
| <p><img src="https://blogs.apache.org/sentry/mediaresource/c7680848-aa39-46cc-8165-0fc27b8b12db" /> </p> |
| <p><span style="font-size: 11pt; text-align: justify; font-family: Arial; orphans: 2; widows: 2;">The hooks gets the list of objects the query is try to access in read and write mode. The Sentry Hive binding converts this into authorization request based on the SQL privilege model.</span></p></p> |
| <h3 style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; height: 11pt; direction: ltr;"><span style="font-family: arial, verdana, 'Bitstream Vera Sans', helvetica, sans-serif; font-size: 14px; font-weight: bold; letter-spacing: -0.018em; color: #666666; line-height: 1.15;">Policy manipulation</span></h3> |
| <p><img src="https://blogs.apache.org/sentry/mediaresource/6b3b87ce-5054-40ab-90a2-0711dda06678" /> </p> |
| <p><span style="font-family: Arial; font-size: 11pt; orphans: 2; text-align: justify; widows: 2;">The policy manipulation is handled in two steps. During the query compilation, Hive invokes Sentry’s authorization task factory that generates Sentry specific task which is executed during query processing. This task invokes the Sentry store client which sends RPC request to Sentry service for making authorization policy changes.</span></p> |
| <p class="c3 c4" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; height: 11pt; direction: ltr; text-align: justify;"> |
| <h3 class="c0 c2" style="widows: 2; padding-top: 8pt; line-height: 1.15; orphans: 2; text-align: justify; color: #666666; font-size: 12pt; font-family: 'Trebuchet MS'; padding-bottom: 0pt; page-break-after: avoid; direction: ltr; letter-spacing: normal;"><a name="h.sfksjr696knd"></a>HCatalog integration</h3> |
| <p><img src="https://blogs.apache.org/sentry/mediaresource/eb8c8249-189f-404a-a348-8f5722b4d1ed" /> </p> |
| <p class="c6" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; direction: ltr;"></p> |
| <p class="c0" style="font-size: 11pt; margin: 0px; font-family: Arial; widows: 2; orphans: 2; text-align: justify; direction: ltr;">Sentry is integrated into Hive Metastore via pre-listener hooks. The metastore executes this hook prior to executing the metadata manipulation request. The metastore binding creates a Sentry authorization requests for the metadata modification request coming for the metastore/HCatalog client.</p> |
| <div></div> |
