Apache Sentry is an authorization module for Hadoop that provides the granular, role-based authorization required to provide precise levels of access to authenticated users and applications. Sentry allows users to see only those objects for which they have privileges.
Sentry supports two models for storing privileges and roles:
Database storage (preferred)
As of Sentry 1.6-1602, you can configure Sentry to use the database storage mode. With this mode, the Sentry service provides access to read and maintain privileges and roles from a database.
Privileges and roles are accessed from and maintained in a policy file (
global-policy.ini) which you can store on the MapR-FS. The following diagram illustrates the architecture of the file-based storage model:
Privileges are granted on different objects in the schema, including tables, databases, URIs and servers. The object hierarchy is set up like this, where objects inherit privileges from objects above them in the hierarchy:
HDFS ACLs are not supported.
As of MapR’s Sentry 1.6-1602, the database storage mode is supported. It was not supported in the Sentry 1.4.0-1412 release.