Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Config propertyScopeValuesDefaultDescription


true, falsetrue

Sentry store will verify the schema version in backed DB with expected version in jar.

The service won't start if there's a mismatch

sentry.service.server-max-threadsServiceNumber of threads500Max worker threads to serve client requests


ServiceNumber of threads10Min worker threads to serve client requests
sentry.service.allow.connectServicecomma separated list of users-List of users that are allowed to connect to the service (eg Hive, Impala) connection URL-JDBC connection URL for the backed DB nameSentryUserid for connecting to backend db for backend JDBC user
sentry.service.server.keytabServiceKeytab file-Keytab for service principal
sentry.service.server.rpc-portServicePort #8038TCP port number for service
sentry.service.server.rpc-addressServiceTCP bind address0.0.0.0TCP interface for service to bind to JDBC driverorg.apache.derby.jdbc.EmbeddedDriver (only when dbtype = derby)JDBC Driver class for the backed DB
sentry.service.admin.groupServiceComma separates list of groups List of groups allowed to make policy updates
org.apache.sentry.provider.common.HadoopGroupMappingServiceGroup mapping class for Sentry service.
org.apache.sentry.provider.file.LocalGroupMappingService can be used for local group mapping. file for group mapping Policy file path for local group mapping, when is set to LocalGroupMappingService class., nonekerberosAuthentication mode for Sentry service. Currently supports Kerberos and trusted mode


BothKerberos principal Service Kerberos principal
sentry.service.client.server.rpc-addressClientTCP address of the server-TCP address of the sentry store server
sentry.service.client.server.rpc-portClientPort # of the server-Port # of the sentry store server
sentry.service.client.server.rpc-connection-timeoutClienttimeout200000RPC connection timeout in milisecs
sentry.metastore.service.usersClientcomma separated list of users List of service users (eg hive, impala) to bypass the Sentry metastore authorization. These services handle the metadata authorization on their side.
Some common client properties same as file based provider (deprecated names in bracket) Note: Some might need an update SENTRY-295    
sentry.provider (hive.sentry.provider)
org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProviderGroup mapping which should be used at client side
sentry.hive.server (hive.sentry.server)
Clientlike "server1"HS2-Hive Server2 Server identifier like "server1"
Privilege provider to be used, we support file based or db based