Hi Hadoop Sheriffs,
In order to support the growth of the Apache Sentry project and make it easier to secure your cluster, a new app was added into Hue. Sentry privileges determine which Hive / Impala databases and tables a user can see or modify. The Security App let’s you create/edit/delete Roles and Privileges directly from your browser (there is no sentry-provider.ini file to edit anymore).
Here is a video showing how the app works:
Main features:
- Bulk edit roles and privileges
- Visualize/edit roles and privileges on a database tree
- WITH GRANT OPTION support
- Impersonate a user to see which databases and table he can see
To have Hue point to a Sentry service and another host, modify these hue.ini properties:
[libsentry] # Hostname or IP of server. hostname=localhost # Port the sentry service is running on. port=8038 # Sentry configuration directory, where sentry-site.xml is located. sentry_conf_dir=/etc/sentry/conf
Hue will also automatically pick up the server name of HiveServer2 from the sentry-site.xml file of /etc/hive/conf.
And that’s it, you can know specify who can see/do what directly in a Web UI! The app sits on top of the standard Sentry API and so it fully compatible with Sentry. Next planned features will bring Solr Collections, HBase privilege management as well as more bulk operations and a tighter integration with HDFS.
As usual, feel free to continue to send us questions and feedback on the hue-user list or @gethue!
Notes
We are using the latest CDH5.2 with Kerberos MIT and Sentry configured. The app also works in non secure mode.
Our users are:
- hive (admin) belongs to the hive group
- user1_1 belongs to the user_group1 group
- user2_1 belongs to the user_group2 group
We synced the Unix users/groups into Hue with these commands:
export HUE_CONF_DIR="/var/run/cloudera-scm-agent/process/`ls -alrt /var/run/cloudera-scm-agent/process | grep HUE | tail -1 | awk '{print $9}'`"
build/env/bin/hue useradmin_sync_with_unix --min-uid=1000
If using the package version and has the CDH repository register, install sentry with:
sudo apt-get install sentry
If using Kerberos, make sure ‘hue’ is allowed to connect to Sentry in /etc/sentry/conf/sentry-store-site.xml:
<property> <name>sentry.service.allow.connect</name> <value>impala,hive,solr,hue</value> </property>
For testing purposes, here is how to create the initial Sentry database:
romain@runreal:~/projects/hue$ sentry --command schema-tool -initSchema -conffile /etc/sentry/conf/sentry-store-site.xml -dbType derby
And start the service:
sentry --command service -conffile /etc/sentry/conf/sentry-store-site.xml