In Part 4,
[spacer height=”20px”] We have discussed about cloudera search workflow and it’s feature. In this tutorial i will cover apache sentry introduction and how it plays a very important role in cloudera hadoop.
- Sentry is security framework mainly used for providing access control over Hadoop data
- Sentry can be easily integrated with other Hadoop components like Pig, Hive and impala
- Sentry enables the multi user access control over a large amount of data stored in Hadoop
- Using sentry you can define roles over user access control
Some of the key functionality in cloudera sentry :
- It provide access and roles to particular user on particular data.
- Data can be divided into multiple categories like important data and regular data.
- Users can be divided into multiple groups, you can grant specific role on complete groups.
- Default access is not provided so you must specify the grant for that user role before accessing data
Diagram Components :
- This is a engine for policy execution, it gets required privileges from the binding component and required privileges from the authentication layer.
- Policy engine can make a decision whether the action to be taken or not.
- Policy agent responsible for managing metadata required for policy execution.
- Whenever required it gets the required policy metadata from main repositories like from HDFS or or Database.
File based provider
- It stores metadata information in a ini or conf format file
- This configuration or ini file can be present on a local file system or HDFS.
- The policy file contains a group and group to its respective role mapping.
- Next for a particular role some privilege mapping is considered
DB based provider
- The Sentry policy store the sentry services and policy mappings in an relational databases like MySQL, Postgres
- DB based provider provides programmatic way to access its API to create, query, update and delete policies, it uses ORM library.
- The binding layer is the bridge between the on going tools like hive, impala and Sentry authorization.
- Binding layer takes the authentication request that can be handled by Sentry policy engine.