Setting Up Search Authorization with Sentry
Requirements for Sentry for Search Authorization
- Cloudera Search 1.1.1 or later.
- A secure Hadoop cluster.
Configuring Sentry Authorization for Search
The following instructions assume that the Sentry parcel or package has been installed.
Sentry authorization is not set up automatically by the Cloudera Manager installation or upgrade wizards. To enable authorization for Search, do the following:
- In the Cloudera Manager Admin console, go to the HiveServer2 role configuration, and disable
impersonation.
- From the Admin console, select the Hive service.
- Under the Configuration menu, select View and Edit.
- Under the HiveServer2 role group, uncheck the HiveServer2 Enable Impersonation property, and Save Changes.
- Create the policy file sentry-provider.ini as an HDFS file.
Please read the information in Configuring Sentry for Search in the Cloudera Search User Guide, specifically the section on the Policy file. The file must be owned by owned by the solr user in the solr group, with perms=600.
By default Cloudera Manager assumes the file is in /user/solr/sentry The path is configurable under the Configuration settings for the Solr service: under the Service-Wide category, select Sentry and modify the path in the Sentry Global Policy File property.
The following is an example of a simple policy file:
[groups] # Assigns each Hadoop group to its set of roles engineer = engineer_role ops = ops_role dev_ops = engineer_role, ops_role [roles] # The following implies all access to source code. engineer_role = collection = source_code # The following imply more restricted access. ops_role = collection = hive_logs->action=Query dev_ops_role = collection = hbase_logs->action=Query
- For your Solr service, on the Configuration page, go to the Service-Wide section, Sentry category, check Enable Sentry Authorization, then Save Changes.
- Restart the Solr service.
<< Previous: Setting Up Hive Authorization with Sentry | Next: The Lily HBase Indexer Service >> |