Computer Science
Algorithm
任意进制数的补码 (2011)
快排杀手 (2011)
How to Estimate Max TPS from TPM (2020)
Data Processing
Use Docker to Submit Spark Jobs (2015)
The Proper Way to Use Spark Checkpoint (2015)
Use Redis Instead of Spark Streaming to Count Statistics (2015)
Digital Life
Move from Twitter to Mastodon (2020)
What Is Wrong about Recommendation System (2020)
Use RSS and Kindle to Read News (2020)
Matrix: A Self Hosted Instant Messaging Solution with End to End Encryption (2020)
An Overview of China's Internet Censorship Strategy (2020)
Deploy Matrix for Users in China (2020)
Distributed System
Spanner and Open Source Implementations (2018)
Great Resources for Learning Database and Distributed System (2019)
Aurora Database (2020)
Understand Liveness and Fairness in TLA+ (2020)
Use TLA+ to Verify Cache Consistency (2020)
Keep Data Consistency During Database Migration (2020)
Redis Implementation for Cache and Database Consistency (2020)
Distributed System Infrastructure
Infrastructure Setup for High Availability (2023)
Upgrade Kubernetes from 1.23 to 1.24 (2023)
How to Cleanup Ceph Filesystem for Deleted Kubernetes Persistent Volume (2023)
Introduce K3s, CephFS and MetalLB to My High Avaliable Cluster (2023)
Machine Learning
Backpropagation Algorithm (2015)
My Recent Work About Neural Networks (2015)
Install BLAS Library for MXNet (2015)
How to Put RNN Layers Into Neural Network Model (2016)
Build A Computer for Deep Learning (2016)
Operating System
Android
The Permission Management of Android Becomes A Bigger Problem When It Comes to Wearable Devices and TV (2016)
Root And Optimize MiBox 3S (2018)
Linux
端口666:毁灭! (2011)
Chroot 简介 (2012)
Compile And Install Kernel (2012)
Backup My Dotfiles (2012)
Comparison Between Linux Desktop Environments (2012)
How Kernel's Makefile Specify Output Directory (2013)
Xbmc on Raspberry Pi with Archlinux (2013)
Setup SSH Authentication with YubiKey (2021)
In Defence of Disabling Swap (2021)
Build a Linux Virtual Machine for Windows Apps (2023)
Linux Full Disk Encryption with Yubikey (2023)
Tizen
Tizen,加油 (2012)
Windows
Build a Unix Like Environment on Windows (2016)
iOS
DNS Resolving Bug in iOS 14 (2020)
Handle Apple In-App-Purchase Server Notification with Scala/Java (2022)
Programming Language
C++
也谈C++ (2012)
Erlang
Build Erlang the Rebar Way (2013)
Fetch Popular Erlang Modules by Coffee Script (2013)
Why I Come Back to Erlang (2014)
Experiment On Combining OOP With Erlang's Actor Model (2014)
Go
Notes On Go Scheduler (2014)
Scala
Config sbt to Use Both Proxy and Self Hosted Repositories (2016)
Compare Task Processing Approaches in Scala (2023)
A Boring JVM Memory Profiling Story (2023)
Scala 2 Macro Tutorial (2023)
Scheme
SICP第三章总结(上)——可变量与环境 (2012)
SICP第三章总结(下)——流编程 (2012)
Type System
RESTful API with Type System (2014)
Powerful Type System (2020)
Software Engineering
Call Program Like A Function (2012)
More About Program In Shell And Function (2013)
Server Logic of Level Based Games (2013)
Languages Should Have Database Built In (2013)
How About Translate IMAP And SMTP Into HTTP API? (2015)
The Things You Need to Know When Using Apache Sentry (2018)
Define Infrastructure as Code (2021)
Why Big Companies Need to Adopt Open Source (2021)
Storage
Change Root File System from Ext4 to Xfs on Archlinux (2013)
Migrate Arch Linux to ZFS (2020)
Personal ZFS Offsite Backup Solution (2021)
ZFS Profiling on Arch Linux (2023)
UI
Flutter
Make Flutter Web Apps More Native Like (2024)
Javascript
Beautiful Math with MathJex (2012)
HTML + CSS + JS is Good (2014)
What is Wrong about HTML and CSS (2014)
Prevent htmx Lazy Loaded Content From Reloading (2024)
Virtualization
Create A Virtual Machine Network (2012)
Fedora Virt-manager Guest Connect to Host (2013)
Docker Is the One Scaffolding to Rule Them All (2014)
Life
Life in Guangzhou (2013)
Recent Works (2013)
东京之旅 (2014)
My 2017 Year in Review (2018)
My 2020 in Review (2021)
十三年前被隔离的经历 (2022)
A Travel to Montreal (2022)
My 2022 in Review (2023)
Travel Back to China (2024)
Projects
Bard
The Thoughts Behind Bard Framework (2014)
Why Use Reflections to Write A Web Framework (2014)
Blog
My New Blog Website (2012)
Comment And Search Are Available (2012)
Remove Categories (2012)
Add Index to My Blog (2021)
Jekyll Plugin to Load Asciinema Recordings Locally (2023)
Add Index Sidebar to My Blog (2023)
RSS Brain
RSS Brain: Yet Another RSS Reader, With More Features (2022)
How RSS Brain Shows Related Articles (2022)
Update on RSS Brain to Find Related Articles with Machine Learning (2023)
Scala2grpc
A Library to Make It Easier to Use Scala with gRPC (2022)
Migrate Scala2grpc to Cats Effect 3 (2023)
Comment Everywhere (2013)
Fetch Popular Erlang Modules by Coffee Script (2013)
Psychology
耶鲁大学心理学导论 (2012)
Thoughts
Chinese
关于人的思想 (2008)
关于人的思想(续) (2008)
览《中国文化要义》有感 (2011)
未来人们怎样对待坏人:读《理想国》杂想 (2011)
好玩的生命游戏 (2011)
念天地之悠悠 (2012)
摒弃现代科技的隐士生活 (2015)
读《邓小平时代》有感 (2016)
由“废青”这个称呼所想到的 (2019)
盛唐诗人和远游 (2020)
English
Tired of Programming (2013)
The Tragic Talented Programmer (2020)

Table of Contents

  1. The Basic
  2. How to Configure Sentry Policy
  3. Conclusion

The Things You Need to Know When Using Apache Sentry

Posted on 02 Sep 2018, tagged SentryHadoopClouderasecuritySplice Machine

For the last few days, I was working on integrating Apache Sentry into our database product Splice Machine. And when doing that, I found the document of Sentry is awful. It takes me much time to figure out what’s the role of Sentry and how to configure it. So in this article, I’d like to write some really important things to help understanding Sentry.

The Basic

From the official website, Apache Sentry is a system for enforcing fine grained role based authorization to data and metadata stored on a Hadoop cluster. The services in Hadoop can integrate Sentry so that they can use Sentry to manage authorization. You may think this implies that Sentry is a centralized authorization system and you can configure the authorization polices through Sentry, then all the services can use these polices. This is only half true: Sentry is a centralized authorization service but you may not have a centralized place to configure polices or use that policy for all Hadoop services. Let’s see the details.

How to Configure Sentry Policy

When I start learning to use Sentry, the configuration of authorization policy confused me a log. I thought it would be like Apache Ranger to have a centralized web UI or at least provide some CLI tool. But it turns out that’s not the case. And more confusing, there are two ways to configure Sentry polices: one is file based, which is like a centralized way to configure Sentry policy but is deprecated. Another way is to configure polices from other service, which you will not even notice the exist of Sentry.

Use Policy File

Let’s start with the old and deprecated way: using the policy files. The policy file approach is more straightforward: you write a file to define the authorization policies. The file is usually on HDFS so that every node can access it. You tell the service where to find the file. Then the service will use Sentry library to parse the policy file and get the permissions for every user. So in this way, there is no Sentry service, just policy files and Sentry library to parse the files.

          --------
          | User |
          --------
             |
             | <-- Write Policy Files
             V
    ------------------------
    | Sentry Files on HDFS |
    ------------------------
             ^
             | <-- Read and Parse with Sentry Library
             |
    ------------------------
    | Hive/Impala/Solr ... |
    ------------------------

For more details like how to configure the services to use Sentry policy file and how to write policy files, you can refer the Cloudera document.

Use Sentry Service

Sentry service is a centralized service that other systems can use RPC to request the permissions of a user. If a system is integrated with Sentry service, there is no need to write policy files. However, the system needs to provide methods to configure the policies and save them to Sentry.

For example, Hive and Impala allow user to use GRANT and REVOKE to configure permissions and it will save the permissions into Sentry service. Then when you query from Hive and Impala, it will ask Sentry service to see if you have the permission. Solr provides a tool to let you define the policies and save to Sentry service, too.

               --------
               | User |
               --------
                 |  |
       Query --> |  | <-- Grant Permission
                 V  V
         ------------------------
         | Hive/Impala/Solr ... |
         ------------------------
                 ^  |
  Request    --> |  | <-- Save Permissions
  Permission     |  |
                 |  V
          -------------------
          | Sentry Service  |
          -------------------

Conclusion

So there are two things that confused me a lot and I’d like to highlight here:

  1. There are two ways to configure Sentry policies. The are not related and a little like different systems.
  2. For the Sentry service, there is no way to configure policies through Sentry service directly.

I think these are both design failures of Sentry. For the first one, if a system changed so much, at least you need to change a big version and highlight it in document. Like Python 2 and Python 3.

For the second one, it is really strange to doesn’t have a way to configure and view the policies through Sentry service. If user still need to configure the permissions separately for each system, it is a little point-less to use a centralized authorization service. Unless the permission model is the same or similar, like Hive and Impala basicly use the same permission model, so if you configure the permissions in Hive, Impala can use it. But the situation like that is rare. And I don’t think it would be difficult to provide a CLI tool to configure and view Sentry policy.