Apache Sentry Policy Management API for Java in Kerberised Platform

[Amit Mula]

Hi guys,

I am trying to write a Apache Sentry service client. My primary objective is to manage sentry policies(GRANT/REVOKE privileges) through a Java Web app. 

I have read about the Thrift specification which indicated that if I can use the thrift IDLs(https://github.com/apache/incubator-sentry/blob/bc5c43450dddced02e61dc61cae1960c8132cd41/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift) used by Sentry, I can write a Java client with the Thrift generated code.

Also, I will also have to fulfill Kerberos Authentication on the client part. Any guidance/tutorial/sample code snippet on this is highly appreciated. 

thnx,

Amit

[Kishore Krishna M]

Hi Amit,

   I am about to start on similar activity, using the thrift idl file, generate the client sources and try to publish the policy info into Sentry. Could you share your experience of doing this. 

thanks

[jojo qi]

Hi Amit and Kishore,

    I am about to do the same thing those days, Could you share  your experience ?

    thanks

在 2017年2月9日星期四 UTC+8下午8:29:06，Kishore Krishna M写道：

[Romain Rigaux]

It was done in Hue for Python in https://github.com/cloudera/hue/tree/master/desktop/libs/libsentry.

Note: Apache Ranger is going to be integrated too https://issues.cloudera.org/browse/HUE-8748

--
You received this message because you are subscribed to the Google Groups "Hue-Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hue-user+u...@cloudera.org.

[jojo qi]

Thank you，Romain . planned to use the web api  xxxxxx:29000/showAll，but it‘s not safe.

在 2019年4月3日星期三 UTC+8下午10:04:30，Romain Rigaux写道：

To unsubscribe from this group and stop receiving emails from it, send an email to hue-...@cloudera.org.

[jojo qi]

Hi, guys

i use kerberised java api to access sentry thrift api, and i works, here is the sample:

@Test
public void connectIt() throws Exception {

    System.setProperty("hadoop.home.dir", "your hdp dir");
    String keyTabPath = "your keytab file";
    String krb5ConfPath = "your krb5.conf file";
    System.setProperty("java.security.krb5.conf", krb5ConfPath);
    org.apache.hadoop.conf.Configuration conf = new org.apache.hadoop.conf.Configuration();
    conf.set("hadoop.security.authentication", "Kerberos");
    UserGroupInformation.setConfiguration(conf);
    UserGroupInformation.loginUserFromKeytab("your principal in keytab and also the one you want to login", keyTabPath);

    conf.set(ServiceConstants.ClientConfig.SERVER_RPC_ADDRESS, "sentry thrift server rpc address");
    conf.set(ServiceConstants.ClientConfig.SERVER_RPC_PORT, "sentry thrift server rpc pirt");
    conf.set(ServiceConstants.ServerConfig.PRINCIPAL, "this is the kerberos pricipal that started you sentry thrift server!!!");
    SentryPolicyServiceClient client = SentryServiceClientFactory.create(conf);

    Set<TSentryPrivilege> set = client.listAllPrivilegesByRoleName("admin", "some_rolename");

    if(CollectionUtils.isNotEmpty(set))
        System.out.println(set.size());

    for(TSentryPrivilege privilege : set){
        System.out.println(privilege.getPrivilegeScope() + ":" + privilege.getServerName() + "." + privilege.getDbName() + "." + privilege.getTableName() + "." + privilege.getColumnName());
    }

}

here is the maven libs:version is 1.5.1-cdh5.14.0
<dependency>
    <groupId>org.apache.sentry</groupId>
    <artifactId>sentry-provider-db</artifactId>
</dependency>
<dependency>
    <groupId>org.apache.sentry</groupId>
    <artifactId>sentry-binding-hive</artifactId>
</dependency>
<dependency>
    <groupId>org.apache.sentry</groupId>
    <artifactId>sentry-binding-hive-conf</artifactId>
</dependency>
<dependency>
    <groupId>org.apache.sentry</groupId>
    <artifactId>sentry-core-common</artifactId>
</dependency>

thank you guys!

在 2019年4月4日星期四 UTC+8下午5:24:15，jojo qi写道：