Document toolboxDocument toolbox

Hadoop Authorization

Applies to: Kyvos Enterprise  Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace

Kyvos Azure Marketplace   Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)


The Hadoop Authorization type can be None, Sentry, or Ranger.

Note

  • The Sentry option is available ONLY if Cloudera is selected as the Hadoop Vendor.

  • From Kyvos 2023.3 onwards, you can see the last performed Hadoop Authorization operation details, including progress status and start time, by clicking the i icon located next to the Revert button . To view more comprehensive details, simply click the  View Details link, which will take you to the Operations page, where you can view the operation information in detail. 

The following figure illustrates the Hadoop Authorization configuration.

Note

The figure shows the Hadoop Authorization configuration fields displayed for Sentry. Fields for Ranger and Sentry, both are described in the following sections.

Prerequisites for Sentry

If using Sentry, make the following configurations on the Cloudera Manager before proceeding.

  1. Go to the HDFS service of Cloudera Manager and add the following properties and values in the Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml
    This is available if user impersonation is enabled in Kyvos using the following properties.

    • hadoop.proxyuser.kyvos.hosts

    • hadoop.proxyuser.kyvos.groups

  2. Go to Sentry service of Cloudera Manager and add kyvos in the service.allow.connect property.

  3. On the navigation pane, click Security > Hadoop Authorization

  4. Enter details as: 

Authorization Type

Parameter/Field 

Comments/Description 

Authorization Type

Parameter/Field 

Comments/Description 

SENTRY

 

 

 

 

Sentry Source Node

To use the Hive Source Node, select the Same As Hive Node option. Else, select the Other Node option.

Sentry Node Host Name

If you selected the Other Node option above, enter the DNS name or IP address of the Sentry Node.

Use different user account for accessing Sentry Node

Select the check box if you want to use a different user account (other than the login user) for accessing the Sentry node. If you select this option, you will be prompted to provide Username, Authentication Type, and Password/Shared Key for authentication.

Sentry Library Path

Provide the absolute path for the Sentry library file jar inclusion to enable Sentry in Kyvos Manager.

Refer to the Appendix for the Hadoop library and configuration paths for Cloudera.

Sentry Configuration File

Upload the Sentry configuration file. 

RANGER

Add Parameter

No additional configuration is required for this.

NOTE: Kyvos does not support Column level security with Ranger, as Ranger does not provide the ability to integrate column-level security with a third party.

The JDBC URL under HCatalog Parameters is mandatory for Ranger authorization while configuring the Hadoop ecosystem on the Kyvos Manager portal.

  1. Click the Validate button to validate the Sentry settings for user authentication and paths that connect to the Sentry node

Copyright Kyvos, Inc. All rights reserved.