- Overview
- Module Description - What the module does and why it is useful
- Setup - The basics of getting started with sentry
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Development - Guide for contributing to the module
This puppet module installs and setup Apache Sentry - system for enforcing fine grained role based authorization to data and metadata stored on a Hadoop cluster.
- Alternatives:
- sentry-conf
- Files:
- /etc/sentry/conf/sentry-site.xml
- JDBC jars in /usr/lib/sentry/lib (if needed)
- startup skript: workaround for packaging error (tested with Cloudera CDH 5.4.7)
- Packages: sentry, sentry-store
- Services: sentry-store
- repositories set
- Java JRE installed
- Hadoop cluster with enabled Kerberos security
- for Hive: security enabled (Hive Server 2: LDAP or Kerberos, Hive Metastore: Kerberos)
- for Impala: security enabled (Kerberos or LDAP)
include ::sentry
include ::sentry::client
include ::sentry::server
class{'::sentry':
db => 'mysql',
db_password => 'sentrypassword',
}
node default {
include ::sentry::client
include ::sentry::server
class { 'mysql::server':
root_password => 'strongpassword',
}
mysql::db { 'sentry':
user => 'sentry',
password => 'sentrypassword',
host => 'localhost',
grant => ['ALTER', 'CREATE', 'SELECT', 'INSERT', 'UPDATE', 'DELETE'],
}
class { 'mysql::bindings':
java_enable => true,
}
Mysql::Db['sentry'] -> Class['::sentry::server::config']
Class['mysql::bindings'] -> Class['::sentry::server::config']
}
class{'::sentry':
db => 'postgresql',
db_password => 'sentrypassword',
}
node default {
include ::sentry::client
include ::sentry::server
class { 'postgresql::server':
postgres_password => 'strongpassword',
}
postgresql::server::db { 'sentry':
user => 'sentry',
password => postgresql_password('sentry', 'sentrypassword'),
}
include postgresql::lib::java
Postgresql::Server::Db['sentry'] -> Class['::sentry::server::config']
Class['postgresql::lib::java'] -> Class['::sentry::server::config']
}
sentry: Apache Sentry setupsentry::client: Sentry clientsentry::server: Sentry store
Apache Sentry Setup.
####alternatives
Switches the alternatives used for the configuration. Default: 'cluster' (Debian) or undef.
Use it only when supported (for example with Cloudera distribution).
####admin_groups
List of groups allowed to make policy updates. Default: ['sentry'].
####db
Database for the sentry store service. Default: undef.
The default is embedded database (derby).
Values:
- derby: embedded database
- mysql: MySQL/MariaDB,
- postgresql: PostgreSQL
- oracle: Oracle
####db_host
Database hostname for mysql, postgresql, and oracle. Default: 'localhost'.
It can be overridden by sentry.store.jdbc.url property.
####db_name
Database name for mysql and postgresql. Default: 'sentry'.
For oracle 'xe' schema is used. Can be overridden by sentry.store.jdbc.url property.
####db_user
Database user for mysql, postgresql, and oracle. Default: 'sentry'.
It can be overridden by sentry.store.jdbc.user property.
####db_password
Database password for mysql, postgresql, and oracle. Default: undef.
It can be overriden by sentry.store.jdbc.password property.
####keytab
Keytab file for Sentry. Default: '/etc/security/keytab/sentry.service.keytab'.
This will set also property sentry.service.server.keytab, if not specified directly.
####properties
Additional properties for sentry. Default: undef.
"::undef" property value will remove given property set automatically by this module, empty string sets the empty value.
####realm
Enables security. Default: undef.
The value is the Kerberos realm to use.
With security there is required:
- /etc/security/keytab/sentry.service.keytab (according to the keytab parameter)
- Repository: https://github.com/MetaCenterCloudPuppet/cesnet-sentry
- Tests:
- basic: see .travis.yml
- Email: František Dvořák <valtri@civ.zcu.cz>