Hive Authz through Apache Sentry
76 views
Skip to first unread message
Amit Mula
Sep 13, 2016, 3:32:04 AM9/13/16
to Hue-Users
I was trying to configure Sentry authz for hive in CDH 5.5 by reading through the following document
www.cloudera.com/documentation/enterprise/5-5-x/topics/sg_sentry_service_config.html
I am facing some difficulties and need some pointers with the following :
- Do I strictly need to have a Kerberos secured HiveServer2 & Hive Metastore for Sentry to work? If not, how to turn off Authentication while accessing HDFS/Hive through a client e.g. Beeline and have authorization configured through Sentry.
Securing the Hive MetastoreIt's important that the Hive metastore be secured. If you want to override the Kerberos prerequisite for the Hive metastore, set the sentry.hive.testing.mode property to trueto allow Sentry to work with weaker authentication mechanisms. Add the following property to the HiveServer2 and Hive metastore's sentry-site.xml:<property><name>sentry.hive.testing.mode</name><value>true</value></property>
- If Hive server 2, Hive Metastore, Sentry service and other Hadoop components(namenode, datanode), all are running on my localhost, do I need separate sentry-site.xml files for each of them or sentry-site.xml should be confined to it's(Sentry) own conf directory only? As highlighted above.
- How to enable logging in Sentry server ? I tried creating the file /etc/sentry/conf/log4j.properties with "log4j.logger.org.apache.sentry=DEBUG" but that didn't help.
Amit Mula
Sep 13, 2016, 4:58:23 AM9/13/16
to Hue-Users
Also I am getting this :
Error: Error while compiling statement: FAILED: InvocationTargetException null (state=42000,code=40000)
when executing
show databases;
show tables;
after logging in through user 'hive'
user 'hive' is included in sentry.service.allow.connect in sentry-site.xml
Error: Error while compiling statement: FAILED: InvocationTargetException null (state=42000,code=40000)
when executing
show databases;
show tables;
after logging in through user 'hive'
user 'hive' is included in sentry.service.allow.connect in sentry-site.xml
Romain Rigaux
Sep 14, 2016, 12:12:29 PM9/14/16
to Amit Mula, Hue-Users
"InvocationTargetException null" looks like a bug, did you look at the HiveServer2 and Sentry logs?
--
You received this message because you are subscribed to the Google Groups "Hue-Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hue-user+unsubscribe@cloudera.org.
Reply all
Reply to author
Forward
0 new messages