If you are using Cloudera Manager 4.5 or 4.6
Support for Sentry has been added in Cloudera Manager as of version 4.7. This means that the configuration of Sentry can be done entirely through the Cloudera Manager Admin Console. However, it is possible to install Sentry in a cluster managed by Cloudera Manager 4.5 or 4.6 by undertaking some manual configuration steps.
Make sure you have added HiveServer2 as a role — it is not added by default — and that security is enabled for the cluster. See the Prerequisites section above for more information.
- installed CDH4.4, either as packages or as parcels (and therefore the Sentry component is also installed in your cluster); or
- installed the standalone version of Sentry with CDH4.3, either as packages or parcels.
- If you are using Cloudera Manager 4.5, and you installed CDH
using CDH4.3 parcels, you must add the Sentry JAR files to your classpath. Proceed
- In Cloudera Manager, navigate to
- In the HiveServer2
Service Environment Safety Valve property, add the path to the Sentry
where parcel_dir is the name of the Sentry parcel directory, which you can see on the Parcels page in Cloudera Manager; for example SENTRY. In this case you would add the following path to the configuration:
- For both Cloudera Manager 4.5 and 4.6, use the HiveServer2 Configuration Safety Valve for
hive-site.xml property to add needed information to the
hive-site.xml for the HiveServer2 role. (Note that the name of the
Hive Server 2 (Base) role
group changed to Hive Server 2 (Default)
in cloudera Manager 4.6.)
This information includes the properties specified in the section Enabling Sentry in HiveServer2 and may also include settings concerning the Hive warehouse directory discussed under the Prerequisites section.
- For both Cloudera manager 4.5 and 4.6, under the Hive Server 2 (Base) (or Hive Server 2 (Default) ) role group, uncheck the HiveServer2 Enable Impersonation property to disable Hive impersonation.
- Click Save Changes to save your configuration changes.
- Go to the Instances page for the Hive service, select the HiveServer2 role, and restart it from the Actions for Selected menu.
- Under the MapReduce service, TaskTracker role group(s) and/or the
YARN service NodeManager role group(s), set the minimum user ID for Job Submission to 0.
Note that you must do this for every TaskTracker or NodeManager role group, if more than
- Select the MapReduce or YARN service, and from the Configuration menu select View and Edit.
- Under a TaskTracker or NodeManager role group go to the Security category.
- Change the Minimum User ID for Job Submission to zero (the default is 1000) and Save Changes.
- Do this for each TaskTracker role group or NodeManager role group. (Often there are different role groups for the TaskTracker or NodeManager roles colocated on the system with the JobTracker or ResourceManager roles, vs. TaskTracker or NodeManager roles running on slave nodes.)
- Restart your MapReduce or YARN service.
- You must set up your policy file(s) and your Sentry configuration file (sentry-site.xml) as described earlier in this document. This cannot be done through the Cloudera Manager Admin Console. See Policy file and Sample Configuration for more information about creating these files.