Configure Sentry to show/hide different databases for different users

Question

I have a cluster running with cdh-5.7.0 and configured the following setup

hadoop with kerberos
hive with LDAP authentication
hive with sentry authorization (rules stored in JDBC derby)

My goal is to restrict users to see which databases exist in my system. E.g.:

User-A should only see database DB-A when execute show databases
User-B should only see database DB-B when execute show databases

I followed the article https://blog.cloudera.com/blog/2013/12/how-to-get-started-with-sentry-in-hive/ to make that happen. But without success. What I achieved was that

User-A can only select tables from DB-A and not from DB-B.
User-B can only select tables from DB-B and not from DB-A.

But both can still see DB-A and DB-B when executing show databases. But i want to avoid this.

Any hints from you how the rules or the setup could looks like to get that running?

Thanks Marko

That blog post is **VERY** old, and generally speaking, using hard-coded policy files for authorization is lame. Nowadays you should use the "policy" only to define the global *Admin* role, and then open a Hive or Impala shell to issue `GRANT` commands cf. https://www.cloudera.com/documentation/enterprise/latest/topics/sg_hive_sql.html and https://www.cloudera.com/documentation/enterprise/latest/topics/impala_grant.html *(note that the syntax is a bit different in Hive and Impala)* — Samson Scharfrichter, Apr 28 '17 at 10:15
Hey, i added rules via beeline e.g. create role einstein_role, grant role einstein_role to group einstein, grant select on table bookorders to role einstein_role; The rule works, or in other words user from group einstein can only select data from table bookorders. But they still see every database via show databases and also all tables via show tables. — mbauhardt, Apr 28 '17 at 11:26

score 0 · Accepted Answer · answered Apr 28 '17 at 16:46

0

According your description and from what I've learned from existing setups, in case of Sentry v1.6+ you need to add the following property to your hive-site.xml:

<property>
  <name>hive.metastore.filter.hook</name>
  <value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value>
</property>

Even if you are on CDH 5.7, the MapR 5 documentation is providing some context. As well Sentry Service Interactions.

After re-starting the Hive service you should be able to see the result which you are expecting.

answered Apr 28 '17 at 16:46

U880D

8,601
6
24
40

Thanks U880D, the property in the hive-site.xml is working perfectly for me. hive.metastore.filter.hook org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook ``` After setting this property user-A see only DB-A and not DB-B. And User-B see only DB-B and not DB-A when executing show databases. thx a lot U880D -- Marko – mbauhardt May 02 '17 at 07:59

Configure Sentry to show/hide different databases for different users

1 Answers1