The simple shell is a tool for Sentry to management the metadata by command line, eg:

bin/sentryShell --grant_role_privilege --role analyst --privilege server=server1->db=db2->table=tab1->action=select --conf sentry-site.xml

The simple shell is only for Hive authorization metadata now, and supports the following commands:

  1. create/drop role
  2. add/delete group to/from role
  3. grant/revoke privilege to/from role
  4. list role for group
  5. list privilege for role


Create role

Create the role with the given role name.

For example: 

bin/sentryShell -cr -r <role name> -conf <the path for sentry configuration file>

or

bin/sentryShell --create_role -r <role name> -conf <the path for sentry configuration file>

note: the argument conf is required to define the path for sentry configuration file


Drop role

Drop the role with the given role name.

For example: 

bin/sentryShell -dr -r <role name> -conf <the path for sentry configuration file>

or

bin/sentryShell --drop_role -r <role name> -conf <the path for sentry configuration file>


Add group to role

Add the group to role with the given group name and role name. 

For example: 

bin/sentryShell -arg -r <role name> -g <group name> -conf <the path for sentry configuration file>

or

bin/sentryShell --add_role_group -r <role name> -g <group name> -conf <the path for sentry configuration file>


Delete group from role

Delete the group from role with the given group name and role name. 

For example: 

bin/sentryShell -drg -r <role name> -g <group name> -conf <the path for sentry configuration file>

or

bin/sentryShell --delete_role_group -r <role name> -g <group name> -conf <the path for sentry configuration file>


Grant privilege to role

Grant the privilege to role with the given privilege string and role name. 

The format of the privilege string is server=serverName->db=databaseName->table=tableName->column=columnName->action=actionName

For example: 

bin/sentryShell -gpr -r <role name> -p <privilege string> -conf <the path for sentry configuration file>

or

bin/sentryShell --grant_privilege_role -r <role name> -p <privilege string> -conf <the path for sentry configuration file>

 

Revoke privilege from role

Revoke the privilege from role with the given privilege string and role name. 

For example: 

bin/sentryShell -rpr -r <role name> -p <privilege string> -conf <the path for sentry configuration file>

or

bin/sentryShell --revoke_privilege_role -r <role name> -p <privilege string> -conf <the path for sentry configuration file>

 

List roles

List the roles with the given group name, or list all roles without the group name.

For example: 

bin/sentryShell -lr -conf <the path for sentry configuration file>

bin/sentryShell -lr -g <group name> -conf <the path for sentry configuration file>

or

bin/sentryShell --list_role -conf <the path for sentry configuration file>

bin/sentryShell --list_role -g <group name> -conf <the path for sentry configuration file>

 

List privilege for role

List the privileges with the given role name. 

For example: 

bin/sentryShell -lp -r <role name> -conf <the path for sentry configuration file>

or

bin/sentryShell --list_privilege -r <role name> -conf <the path for sentry configuration file>

 

Help

Print the help information.

For example:

bin/sentryShell -h

or

bin/sentryShell --help

 

 

  • No labels