Open Source, Fine-Grained Access Control for your Enterprise Data Hub
Apache Sentry (incubating) is the next step in enterprise-grade big data security and delivers fine-grained authorization to data stored in Apache Hadoop. As an independent security module that integrates with the open source SQL query frameworks Apache Hive and Cloudera Impala and the open source interactive search engine Cloudera Search, Sentry delivers advanced authorization controls to enable multiuser applications and cross-functional processes for data sets within an enterprise data hub, the next-generation data management architecture for information-driven organizations. An enterprise data hub, powered by Hadoop, is a single, low-cost platform where organizations can efficiently and securely store, process, analyze, govern, archive, and serve any and all of their enterprise data.
A Hadoop-based EDH has strong security at the file system level, yet Sentry introduces additional controls and granularity required to secure access to data for the majority of SQL, BI, and search tools and use cases. With Sentry, enterprises can continue to operate on data files within an EDH with tools like Apache Pig and MapReduce and simultaneously provide fine-grain access management to the same data for Hive, Impala, and Search, if needed.
- Role-Based Administration – Database administrators can unlock key role-based access control (RBAC) requirements and define what users and applications can do with data within a server, database, table, or view.
- Data Classification – Content producers and owners can intersperse sensitive data with non-sensitive data in the same data set.
- Improved Regulatory Compliance – Business teams can leverage the power of Hadoop while aligning with regulatory mandates like HIPAA, SOX, and PCI.
- Expanded User Base – Operations staff can open Hadoop data systems to a more diverse set of users, extending the power of Hadoop and making it suitable for new industries, organizations, and enterprise usage.
Sentry utilizes the existing Hive metastore and offers an extensible plugin for HiveServer2 that expands the foundation for Hadoop security, building upon the existing capabilities of concurrency and Kerberos-based authentication. Sentry, as a centralized service for secured access in an EDH, can also extend to other computing engines within the Hadoop ecosystem.
- Gain comprehensive control of user access to subsets of data
- Simplify permissions management based on functional roles
- Delegate security management to individual administrators
- Benefit from open source innovation for Hive, Impala, Search, and more
Make Hadoop safer, more compliant, and ready for enterprise use, in even the most highly regulated industries, with Sentry.
Key Benefits of Sentry
Precise Data Access
Ensure that the right resources have the proper and relevant permissions to appropriate data or subsets of data and SQL activities in Hive and Impala.
Simplify administration by granting sets of permissions to resources within the organization based on functional roles within a Hive or Impala database or Search index.
Store sensitive data alongside non-sensitive data in the same data set within Hadoop without replication and ensure usage and data compliance for regulations and governance policies.
Empower new and varied users and data within the enterprise and alleviate security concerns by building on the foundations of concurrency, authentication, and authorization provided by Hive, Impala, Search, and Sentry.
Build multiuser applications on top of Hive and Impala by segregating access to data sets for appropriate users and delegating the permissions management to local database administrators.
Avoid suboptimal choices for authorization like self-regulated, “benevolent” advisory authorization or relying exclusively on “all-or-nothing,” coarse-grained, file-based access.
Reuse and Extensibility
Build on existing systems like the Hive metastore and establish a solid, open, and extensible framework for fine-grain authorization and security beyond SQL and search in Hadoop.
Key Features of Sentry
- Fine-grained authorization for Hive, Impala, and Search
- Specify security for SERVER, DATABASE, TABLE, and VIEW
- SELECT privileges on VIEW, TABLE
- INSERT privilege on TABLE
- TRANSFORM privilege on SERVER
- ALL privilege on SERVER, DATABASE, TABLE, and VIEW
- ALL privilege needed to create and modify schema within scope
- Separate authorization policies per database/schema/index
- Supported in HiveServer2, Impala 1.1.0 and later, and Search 1.1.0 and later
- Supports current Hive metastore architecture
- 100% Apache licensed, 100% open source
Get Support for Sentry with Cloudera Enterprise
Cloudera Enterprise lets leverage the full capability and opportunity of Sentry in your production environments. When you deploy Sentry with Cloudera Enterprise as part of an enterprise data hub, you can rely on our market-leading technical support for Sentry, as well as actively influence the future of the project.