When sentry make effictive,is there any log about it?

I use rpm to install cdh and hive with kerberos ,and they are working well.

Now I am configuring sentry for hive:

hive-site.xml:
<property>
   <name>javax.jdo.option.ConnectionURL</name>
   <value>jdbc:mysql://xxxxx/metastore</value>
   <description>the URL of the MySQL database</description>
</property>

<property>
   <name>javax.jdo.option.ConnectionDriverName</name>
   <value>com.mysql.jdbc.Driver</value>
</property>

<property>
   <name>javax.jdo.option.ConnectionUserName</name>
   <value>hive</value>
</property>

<property>
   <name>javax.jdo.option.ConnectionPassword</name>
   <value>xxxxx</value>
</property>

<property>
   <name>datanucleus.autoCreateSchema</name>
   <value>false</value>
</property>

<property>
   <name>datanucleus.fixedDatastore</name>
   <value>true</value>
</property>

<property>
   <name>datanucleus.autoStartMechanism</name>
   <value>SchemaTable</value>
</property>

<!--
<property>
   <name>hive.metastore.uris</name>
   <value>xxxxxxxxx</value>
   <description>IP address (or fully-qualified domain name) and port of the metastore host</description>
</property>
-->

<property>
   <name>hive.support.concurrency</name>
   <description>Enable Hive's Table Lock Manager Service</description>
   <value>true</value>
</property>

<property>
   <name>hive.zookeeper.quorum</name>
   <description>Zookeeper quorum used by Hive's Table Lock Manager</description>
   <value>xxxxxxxxxxxx</value>
</property>


<property>
   <name>hive.server2.enable.impersonation</name>
   <description>Enable user impersonation for HiveServer2</description>
   <value>false</value>
</property>


<property>
   <name>hive.server2.authentication</name>
   <value>KERBEROS</value>
</property>
<property>
   <name>hive.server2.authentication.kerberos.principal</name>
   <value>hive/_HOST@EXAMPLE.COM</value>
</property>
<property>
   <name>hive.server2.authentication.kerberos.keytab</name>
   <value>/etc/hive/conf/hive.keytab</value>
</property>

<property>
   <name>hive.metastore.sasl.enabled</name>
   <value>true</value>
   <description>If true, the metastore thrift interface will be secured with SASL. Clients must authenticate with Kerberos.
   </description>
</property>
<property>
   <name>hive.metastore.kerberos.keytab.file</name>
   <value>/etc/hive/conf/hive.keytab</value>
   <description>The path to the Kerberos Keytab file containing the metastore thrift server's serv ice principal.
   </description>
</property>
<property>
   <name>hive.metastore.kerberos.principal</name>
   <value>hive/_HOST@EXAMPLE.COM</value>
   <description>The service principal for the metastore thrift server. The special string _HOST will be replaced automatically with the correct host name.
   </description>
</property>

<!-- sentry enable -->
<property>
<name>hive.server2.session.hook</name>
<value>org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook</value>
</property>

<property>
<name>hive.sentry.conf.url</name>
<value>/etc/hive/conf</value>
<description>sentry-site.xml file location</description>
</property>

sentry-site.xml:
[users]
lixiang = lixiang

<configuration>
   <property>
     <name>hive.sentry.provider</name>
     <value>org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider</value>
   </property>

   <property>
     <name>hive.sentry.provider.resource</name>
     <value>hdfs://xxxxx:49000/user/hive/sentry/sentry-provider.ini</value>
     <!--
        If the hdfs-site.xml points to HDFS, the path will be in HDFS;
        alternatively you could specify a full path, e.g.:
        hdfs://namenode:port/path/to/authz-provider.ini
        file:///path/to/authz-provider.ini
     -->
   </property>

   <property>
     <name>hive.sentry.server</name>
     <value>server1</value>
   </property>
</configuration>

hdfs --> /user/hive/sentry/sentry-provider.ini:
[databases]
customers = hdfs://xxxxx/user/hive/sentry/customers.ini
[groups]
admin = admin_role

[roles]
admin_role = server=server1->db=*
admin_role = server=server1

hdfs --> /user/hive/sentry/customers.ini:
[groups]
lixiang = customers_select_role

[roles]
customers_insert_role = server=server1->db=customers->table=*->action=insert
customers_select_role = server=server1->db=customers->table=student->action=select

-------------------------------------------------------------------------------------------
Are they OK?

When I addprinc a user called lixiang, and adduser a user called lixiang at Linux,and I execute 'load data' command into customers.student table ,why there is nothing wrong with it?

To unsubscribe from this group and stop receiving emails from it, send an email to scm-users+unsubscribe@cloudera.org.