This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • Sentry Service Configuration

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Config propertyScopeValuesDefaultDescription
sentry.verify.schema.version

Service

true, falsetrue

Sentry store will verify the schema version in backed DB with expected version in jar.

The service won't start if there's a mismatch

sentry.service.server-max-threadsServiceNumber of threads500Max worker threads to serve client requests

sentry.service.server-min-threads

ServiceNumber of threads10Min worker threads to serve client requests
sentry.service.allow.connectServicecomma separated list of users-List of users that are allowed to connect to the service (eg Hive, Impala)
sentry.store.jdbc.urlServiceJDBC connection URL-JDBC connection URL for the backed DB
sentry.store.jdbc.userServiceuser nameSentryUserid for connecting to backend db
sentry.store.jdbc.passwordServicepasswordSentrypassword for backend JDBC user
sentry.service.server.keytabServiceKeytab file-Keytab for service principal
sentry.service.server.rpc-portServicePort #8038TCP port number for service
sentry.service.server.rpc-addressServiceTCP bind address0.0.0.0TCP interface for service to bind to
sentry.store.jdbc.driverServiceBackend JDBC driverorg.apache.derby.jdbc.EmbeddedDriver (only when dbtype = derby)JDBC Driver class for the backed DB
sentry.service.admin.groupServiceComma separates list of groups List of groups allowed to make policy updates
sentry.store.group.mappingService
org.apache.sentry.provider.common.HadoopGroupMappingService
org.apache.sentry.provider.common.HadoopGroupMappingServiceGroup mapping class for Sentry service.
org.apache.sentry.provider.file.LocalGroupMappingService can be used for local group mapping. 
sentry.store.group.mapping.resourceServicePolicy file for group mapping Policy file path for local group mapping, when sentry.store.group.mapping is set to LocalGroupMappingService class.
sentry.service.security.modeBothkerberos, nonekerberosAuthentication mode for Sentry service. Currently supports Kerberos and trusted mode

sentry.service.server.principal

BothKerberos principal Service Kerberos principal
sentry.service.client.server.rpc-addressClientTCP address of the server-TCP address of the sentry store server
sentry.service.client.server.rpc-portClientPort # of the server-Port # of the sentry store server
sentry.service.client.server.rpc-connection-timeoutClienttimeout200000RPC connection timeout in milisecs
sentry.metastore.service.usersClientcomma separated list of users List of service users (eg hive, impala) to bypass the Sentry metastore authorization. These services handle the metadata authorization on their side.
Some common client properties same as file based provider (deprecated names in bracket) Note: Some might need an update SENTRY-295    
sentry.provider (hive.sentry.provider)
Client
org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider
  
org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProviderGroup mapping which should be used at client side
sentry.hive.server (hive.sentry.server)
Clientlike "server1"HS2-Hive Server2 Server identifier like "server1"
sentry.hive.provider.backend
Client
org.apache.sentry.provider.db.SimpleDBProviderBackend
org.apache.sentry.provider.file.SimpleFileProviderBackend
org.apache.sentry.provider.file.SimpleFileProviderBackend
Privilege provider to be used, we support file based or db based

...