Database Reference
In-Depth Information
Sentry
License
Apache License, Version 2.0
Activity
High
Purpose
Provide a base level of authorization in Hadoop
Official Page
Hadoop Integration API Compatible Incubator project (work in progress)
If you need authentication services in Hadoop, one possibility is Sentry, an Apache Incubator
project to provide authentication services to components in the Hadoop ecosystem. The sys-
tem currently defines a set of policy rules in a file that defines groups, mapping of groups to
rules, and rules that define the privileges of groups to resources. You can think of this as
role-based access control (RBAC). Your application then calls a Sentry API with the name of
the user, the resource the user wishes to access, and the manner of access. The Sentry policy
engine then sees if the user belongs to a group that has a role that enables it to use the re-
source in the manner requested. It returns a binary yes/no answer to the application, which
can then take the appropriate response.
At the moment, this is filesystem-based and works with Hive and Impala out of the box. Oth-
er components can utilitze the API. One shortcoming of this system is that one could write a
rogue MapReduce program that can access the data that would be restricted by using the
Hive interface to the data.
Incubator projects are not part of the official Hadoop distribution and should not be used in
production systems.
