...
| Config property | Scope | Values | Default | Description |
|---|---|---|---|---|
| sentry.verify.schema.version | Service | true, false | true | Sentry store will verify the schema version in backed DB with expected version in jar. The service won't start if there's a mismatch |
| sentry.service.server-max-threads | Service | Number of threads | 500 | Max worker threads to serve client requests |
sentry.service.server-min-threads | Service | Number of threads | 10 | Min worker threads to serve client requests |
| sentry.service.allow.connect | Service | comma separated list of users | - | List of users that are allowed to connect to the service (eg Hive, Impala) |
| sentry.store.jdbc.url | Service | JDBC connection URL | - | JDBC connection URL for the backed DB |
| sentry.store.jdbc.user | Service | user name | Sentry | Userid for connecting to backend db |
| sentry.store.jdbc.password | Service | password | Sentry | password for backend JDBC user |
| sentry.service.server.keytab | Service | Keytab file | - | Keytab for service principal |
| sentry.service.server.rpc-port | Service | Port # | 8038 | TCP port number for service |
| sentry.service.server.rpc-address | Service | TCP bind address | 0.0.0.0 | TCP interface for service to bind to |
| sentry.store.jdbc.driver | Service | Backend JDBC driver | org.apache.derby.jdbc.EmbeddedDriver (only when dbtype = derby) | JDBC Driver class for the backed DB |
| sentry.service.admin.group | Service | Comma separates list of groups | List of groups allowed to make policy updates | |
| sentry.store.group.mapping | Service | org.apache.sentry.provider.common.HadoopGroupMappingService | org.apache.sentry.provider.common.HadoopGroupMappingService | Group mapping class for Sentry service. org.apache.sentry.provider.file.LocalGroupMappingService can be used for local group mapping. |
| sentry.store.group.mapping.resource | Service | Policy file for group mapping | Policy file path for local group mapping, when sentry.store.group.mapping is set to LocalGroupMappingService class. | |
| sentry.service.security.mode | Both | kerberos, none | kerberos | Authentication mode for Sentry service. Currently supports Kerberos and trusted mode |
sentry.service.server.principal | Both | Kerberos principal | Service Kerberos principal | |
| sentry.service.client.server.rpc-address | Client | TCP address of the server | - | TCP address of the sentry store server |
| sentry.service.client.server.rpc-port | Client | Port # of the server | - | Port # of the sentry store server |
| sentry.service.client.server.rpc-connection-timeout | Client | timeout | 200000 | RPC connection timeout in milisecs |
| sentry.metastore.service.users | Client | comma separated list of users | List of service users (eg hive, impala) to bypass the Sentry metastore authorization. These services handle the metadata authorization on their side. | |
| Some common client properties same as file based provider (deprecated names in bracket) Note: Some might need an update SENTRY-295 | ||||
sentry.provider (hive.sentry.provider) | Client | org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider | org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider | Group mapping which should be used at client side |
sentry.hive.server (hive.sentry.server) | Client | like "server1"HS2 | - | Hive Server2 Server identifier like "server1" |
sentry.hive.provider.backend | Client | org.apache.sentry.provider.db.SimpleDBProviderBackend org.apache.sentry.provider.file.SimpleFileProviderBackend | org.apache.sentry.provider.file.SimpleFileProviderBackend | Privilege provider to be used, we support file based or db based |
...