Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Sentry currently has involved into a universal authorization policy engine. It has been successfully integrated with Apache Hive, Apache Sqoop2, Apache Solr, Apache Kafka, HDFS and Cloudera Impala. Sentry is pluggable and it is fairly simple to delegate Sentry to your authorization and policy management needs. In this document we talk about the main steps required for integration, code organization and examples to get you started.

Main modules:

  • Generic Authorization static data:

    • authorizables, privileges, and corresponding backend metadata: so new engine will need to extend implementation to cover these pieces, e.g. Define authorization model, Define privilege model with authorization model and action factory;

  • Generic Authorization processing engine:

    • get privileges with backend, do the transformation (currently, there is no transformation), return the privileges. It also return the PrivilegeFactory. All the implementation is based on the previous framework, and I think we can improve the framework to make it more clearly.

  • Policy enforcement plugin running on apache components side

    • hook and binding

Integration main steps:

       Apache Kafka will be the example for the following guide.

  1. Define authorization model (reference code:
    1. Create the sentry-core-model-kafka for Kafka.
    2. Create KafkaAuthorizable which should extend the interface Authorizable
    3. Create all authorization types with enum AuthorizableType in KafkaAuthorizable, eg, Cluster, Host, etc.
    4. Create sub class of KafkaAuthorizable for every authorization type, eg, Cluster, Host, etc.
  2. Define action factory  (reference code:
    1. KafkaActionFactory defines all actions for Kafka with name and code, eg, READ(0x0001), WRITE(0x0002), etc.
    2. The action code will be used for action imply with operation &. The imply rule is defined in org.apache.sentry.core.common.BitFieldAction. According to the rule, READ imply WRITE = FALSE, ALL imply WRITE = TRUE.
  3. Define privilege model with authorization model and action factory (reference code:
    1. Create implyMethodMap which is responsible for imply the authorization types which is defined in KafkaAuthorizable, the imply rule is defined in org.apache.sentry.policy.common.CommonPrivilege. The following are the supported imply methods for the authorization types:
      1. STRING : compare the authorization type as string and case insensitive.

      2. STRING_CASE_SENSITIVE : compare the authorization type as string and case sensitive.

      3. URL : compare the authorization type as url according to org.apache.sentry.core.common.utils.PathUtils.

    2. Implement the getImplyMethodMap() with the created implyMethodMap.
    3. Implement the getBitFieldActionFactory with KafkaActionFactory.
  4. Define the binding (reference code:
    1. Crete the KafkaAuthBinding which is responsible for do the authorization for Kafka.
    2. AuthorizationProvider should be the member of binding and will be initialized with the implementation of PolicyEngine and ProviderBackend. For PolicyEngine, org.apache.sentry.policy.engine.common.CommonPolicyEngine is the default implementation and user can implement the interface if needed. For ProviderBackend, org.apache.sentry.provider.db.generic.SentryGenericProviderBackend is the default implementation. The sample code for the initialization is KafkaAuthBinding.createAuthProvider().
    3. Add the method to expose the AuthorizationProvider.hasAccess(), eg, KafkaAuthBinding.authorize().
  5. Implement the hook (reference code:
    1. The purpose for the hook is to use KafkaAuthBinding.authorize() to do the authorization.
  6. manage the authorization metadata
    1. There are 2 ways to manage the authorization metadata like create role, grant role to group, grant privilege to role, revoke privilege from role, etc.
      1. Implement the hook and using the component's framework to manage the authorization metadata with SentryGenericServiceClient, eg, SentryKafkaAuthorizer.addAcls() for grant privileges to role, SentryKafkaAuthorizer.removeAcls() for revoke privileges from role, etc.
      2. Implement the SentryShellCommon to manage the authorization metadata, eg, SentryShellKafka.

Code organization: