Configure Sentry to show/hide different databases for different users

Question

I have a cluster running with cdh-5.7.0 and configured the following setup

• hadoop with kerberos
• hive with LDAP authentication
• hive with sentry authorization (rules stored in JDBC derby)

My goal is to restrict users to see which databases exist in my system. E.g.:

• User-A should only see database DB-A when execute show databases
• User-B should only see database DB-B when execute show databases

I followed the article https://blog.cloudera.com/blog/2013/12/how-to-get-started-with-sentry-in-hive/ to make that happen. But without success. What I achieved was that

• User-A can only select tables from DB-A and not from DB-B.
• User-B can only select tables from DB-B and not from DB-A.

But both can still see DB-A and DB-B when executing show databases. But i want to avoid this.

Any hints from you how the rules or the setup could looks like to get that running?

Thanks Marko

Answer 1

According your description and from what I've learned from existing setups, in case of Sentry v1.6+ you need to add the following property to your hive-site.xml:

<property>
  <name>hive.metastore.filter.hook</name>
  <value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value>
</property>

Even if you are on CDH 5.7, the MapR 5 documentation is providing some context. As well Sentry Service Interactions.

After re-starting the Hive service you should be able to see the result which you are expecting.