1) Apache Sentry privileges
The Apache Sentry docker image we covered in the previous tutorial ships with a 'sentry.ini' configuration file (see here) that is used to retrieve the groups associated with a given user. A user must be a member of the "admin" group to invoke on the Apache Sentry security service, as configured in 'sentry-site.xml' (see here). To avoid confusion, 'sentry.ini' also contains "[groups]" and "[roles]" sections, but these are not used by the Sentry security service.
In Apache Sentry, a user is associated with one or more groups, which in turn are associated with one or more roles, which in turn are associated with one or more privileges. Privileges are made up of a number of different components that vary slightly depending on what service the privilege is associated with (e.g. Hive, Kafka, etc.). For example:
- Host=*->Topic=test->action=ALL - This Kafka privilege grants all actions on the "test" topic on all hosts.
- Collection=logs->action=* - This Solr privilege grants all actions on the "logs" collection.
- Server=sqoopServer1->Connector=c1->action=* - This Sqoop privilege grants all actions on the "c1" connector on the "sqoopServer1" server.
- Server=server1->Db=default->Table=words->Column=count->action=select - This Hive privilege grants the "select" action on the "count" column of the "words" table in the "default" database on the "server1" server.
2) Querying the Apache Sentry security service using 'sentryShell'
Follow the steps outlined in the previous tutorial to get the Apache Sentry security service up and running using either the docker image or by setting it up manually. The Apache Sentry distribution ships with a "sentryShell" command line tool that we can use to query that Apache Sentry security service. So depending on which approach you followed to install Sentry, either go to the distribution or else log into the docker container.
We can query the roles, groups and privileges via:
- bin/sentryShell -conf sentry-site.xml -lr
- bin/sentryShell -conf sentry-site.xml -lg
- bin/sentryShell -conf sentry-site.xml -lp -r admin_role
- bin/sentryShell -conf sentry-site.xml -cr -r admin_role
- bin/sentryShell -conf sentry-site.xml -arg -g admin -r admin_role
- bin/sentryShell -conf sentry-site.xml -gpr -r admin_role -p "Server=*->action=ALL"
- bin/sentryShell -conf sentry-site.xml -gpr -r admin_role -p "Host=*->Cluster=kafka-cluster->action=ALL" -t kafka
- bin/sentryShell -conf sentry-site.xml -lp -r admin_role -t kafka
A rather more user-friendly alternative to the 'sentryShell' is available in Apache Sentry 2.0.0. The 'sentryCli' can be started with 'bin/sentryCli'. Typing ?l lists the available commands: