Setting Up Search Authorization with Sentry
Requirements for Sentry for Search Authorization
- Cloudera Search 1.1.1 or later.
- A secure Hadoop cluster.
Configuring Sentry Authorization for Search
The following instructions assume that the Sentry parcel or package has been installed.
Sentry authorization is not set up automatically by the Cloudera Manager installation or upgrade wizards. To enable authorization for Search, do the following:
- Ensure the requirements are satisfied.
- Create the policy file sentry-provider.ini as an HDFS file. See Configuring Sentry for Search in the Cloudera Search User Guide, specifically the section on the Policy file. The file must be owned by owned by the solr user in the solr group, with perms=600.
By default Cloudera Manager assumes the file is in /user/solr/sentry. The path is configurable under the Configuration settings for the Solr service: under the Service-Wide category, select Sentry and modify the path in the Sentry Global Policy File property.
The following is an example of a simple policy file:
[groups] # Assigns each Hadoop group to its set of roles engineer = engineer_role ops = ops_role dev_ops = engineer_role, ops_role [roles] # The following implies all access to source code. engineer_role = collection = source_code # The following imply more restricted access. ops_role = collection = hive_logs->action=Query dev_ops_role = collection = hbase_logs->action=Query
- For your Solr service, on the Configuration page, go to the Service-Wide section, Sentry category, check Enable Sentry Authorization, then Save Changes.
- Restart the Solr service.