We will look in to Hive Sentry Roles commands. Here in this post you will get all sentry role creation and grant permission commands.
1. Create hive sentry role :-
CREATE ROLE `role_name`; # Here were are using group name as hadoop-developer CREATE ROLE `hadoop-developer_role`;
It is always a good practice to create a role name with the same as the group name with role at the end. At later point of time, when revising the polices, this will play major role and will be more easy to maintain for longer runs.
2. Drop hive sentry role: –
DROP ROLE `role_name`; DROP ROLE `hadoop-developer_role`
We don’t have IF EXISTSFor dropping role, ‘drop role role_name if exists’ or IF NOT EXISTSFor role creation, “Create role role_name if not exists” command for drop and create role functionality. This is still pending functionality, here is the Jira – SENTRY-855 for this functionality.
So far, we have checked creation and deletion of sentry roles. Now we will see, how to associate group with roles and roles with databases.
We can associate one role with multiple groups and with multiple databases as well. Groups and databases can be mapped with many roles. So here roles, groups and databases have many to many relation.
Working of hive sentry Fig:-
Hive with Sentry enabled
3. Mapping role to group:-
GRANT ROLE `role_name` TO GROUP `group_name` #Here hadoop-developer is the group and role is hadoop-developer_role GRANT ROLE `hadoop-developer_role` TO GROUP `hadoop-developer`; GRANT ROLE `hadoop-developer_role` TO GROUP `hadoop-developer-group2`;
From the above sentry rules, we have mapped hadoop-developer_role to hadoop-developer group, likewise we can map N number of groups to the same role.
Here is the single command to map with multiple groups and also with multiple roles and groups
GRANT ROLE `role_name` TO GROUP `group1`, GROUP `group2`; GRANT ROLE `role_name1`, `role_name2` TO GROUP `group1`, GROUP `group2`; #Multiple groups GRANT ROLE `hadoop-developer_role` TO GROUP `hadoop-admin`, GROUP `hadoop-developer`; #Multiple roles and groups GRANT ROLE `hadoop-developer_role`, `hadoop-admin_role` TO GROUP `hadoop-admin`, GROUP `hadoop-developer`;
4. Mapping databases to role:-
GRANT ALL ON DATABASE `database` TO ROLE `role_name`; GRANT SELECT ON DATABASE `database` TO ROLE `role_name`; # SELECT and ALL permissions GRANT ALL ON DATABASE `database` TO ROLE `hadoop-developer_role`; GRANT SELECT ON DATABASE_2 `database` TO ROLE `hadoop-developer_role`;
Here we are mapping databases to the role we have created, we have two privileges SELECTUsers form that role can read the data from all the tables and ALLusers from that group can read and write from the databases.
Assign database to multiple roles using single command.
#Multiple roles in single command GRANT ALL ON DATABASE `database` To ROLE `hadoop-developer_role`, ROLE `hadoop-admin_role`; GRANT SELECT ON DATABASE `database` To ROLE `hadoop-developer_role`, ROLE `hadoop-admin_role`;
5. Mapping HDFS URI to role:-
This statement is used for creation external table. users, whoever creates external table must have this sentry rule applied. If not they will get No valid privileges Permission Error messages. This role can be given to developer mainly.
GRANT ALL ON URI 'hdfs://nameservice1/dir1/dir2/' TO ROLE `hadoop-developer_role`; # Map with multiple role with single statement. GRANT ALL ON URI 'hdfs://nameservice1/dir1/dir2/' TO ROLE `hadoop-developer_role`, ROLE `hadoop-admin_role`;
6. Mapping S3 URI to role:-
If you are creating external table at S3 location, then the below permission should be given tot he role. Rule has to be with Access Key and Secret key, which is must, like given below.
GRANT ALL ON URI 's3n://Access_Key_ID:Secret_Access_Key@bucket_name/dir1/dir2/' TO ROLE `hadoop-developer_role`; GRANT ALL ON URI 's3n://Access_Key_ID:Secret_Access_Key@bucket_name/dir1/dir2/' TO ROLE `hadoop-developer_role`, ROLE `hadoop-admin_role`; # Eg - with sample access key and secret key GRANT ALL ON URI 's3n://AKIAIOSFODNN7EXAMPLE:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY@bucket_name/dir1/dir2/' TO ROLE `hadoop-developer_role`;
