The Apache Sentry security service - part II

This is the second in a series of blog posts on the Apache Sentry security service. The first post looked at how to get started with the Apache Sentry security service, both from scratch and via a docker image. The next logical question is how can we can define the authorization privileges held in the Sentry security service. In this post we will briefly cover what those privileges look like, and how we can query them using two different tools that ship with the Apache Sentry distribution.

1) Apache Sentry privileges

The Apache Sentry docker image we covered in the previous tutorial ships with a 'sentry.ini' configuration file (see here) that is used to retrieve the groups associated with a given user. A user must be a member of the "admin" group to invoke on the Apache Sentry security service, as configured in 'sentry-site.xml' (see here).  To avoid confusion, 'sentry.ini' also contains "[groups]" and "[roles]" sections, but these are not used by the Sentry security service.

In Apache Sentry, a user is associated with one or more groups, which in turn are associated with one or more roles, which in turn are associated with one or more privileges. Privileges are made up of a number of different components that vary slightly depending on what service the privilege is associated with (e.g. Hive, Kafka, etc.). For example:

• Host=*->Topic=test->action=ALL - This Kafka privilege grants all actions on the "test" topic on all hosts.
• Collection=logs->action=* - This Solr privilege grants all actions on the "logs" collection.
• Server=sqoopServer1->Connector=c1->action=* - This Sqoop privilege grants all actions on the "c1" connector on the "sqoopServer1" server.
• Server=server1->Db=default->Table=words->Column=count->action=select - This Hive privilege grants the "select" action on the "count" column of the "words" table in the "default" database on the "server1" server.

For more information on the Apache sentry privilege model please consult the official wiki.

2) Querying the Apache Sentry security service using 'sentryShell'

Follow the steps outlined in the previous tutorial to get the Apache Sentry security service up and running using either the docker image or by setting it up manually. The Apache Sentry distribution ships with a "sentryShell" command line tool that we can use to query that Apache Sentry security service. So depending on which approach you followed to install Sentry, either go to the distribution or else log into the docker container.

We can query the roles, groups and privileges via:

• bin/sentryShell -conf sentry-site.xml -lr
• bin/sentryShell -conf sentry-site.xml -lg
• bin/sentryShell -conf sentry-site.xml -lp -r admin_role

We can create a "admin_role" role and add it to the "admin" group via:

• bin/sentryShell -conf sentry-site.xml -cr -r admin_role
• bin/sentryShell -conf sentry-site.xml -arg -g admin -r admin_role

We can grant a (Hive) privilege to the "admin_role" role as follows:

• bin/sentryShell -conf sentry-site.xml -gpr -r admin_role -p "Server=*->action=ALL"

If we are adding a privilege for anything other than Apache Hive, we need to explicitly specify the "type", e.g.:

• bin/sentryShell -conf sentry-site.xml -gpr -r admin_role -p "Host=*->Cluster=kafka-cluster->action=ALL" -t kafka
• bin/sentryShell -conf sentry-site.xml -lp -r admin_role -t kafka

3) Querying the Apache Sentry security service using 'sentryCli'

A rather more user-friendly alternative to the 'sentryShell' is available in Apache Sentry 2.0.0. The 'sentryCli' can be started with 'bin/sentryCli'. Typing ?l lists the available commands:

The Apache Sentry security service can be queried using any of these commands.