Understanding sentry-provider.ini file syntax

sentry-provider.ini

[groups]
# Assigns each Hadoop group to its set of roles
engineer = engineer_role
ops = ops_role
dev_ops = engineer_role, ops_role
hbase_admin = hbase_admin_role

[roles]
# The following grants all access to source_code.
# "collection = source_code" can also be used as syntactic
# sugar for "collection = source_code->action=*"
engineer_role = collection = source_code->action=*

# The following imply more restricted access.
ops_role = collection = hive_logs->action=Query
dev_ops_role = collection = hbase_logs->action=Query

#give hbase_admin_role the ability to create/delete/modify the hbase_logs collection
#as well as to update the config for the hbase_logs collection, called hbase_logs_config.
hbase_admin_role = collection=admin->action=*, collection=hbase_logs->action=*, config=hbase_logs_config->action=*

I do not understand what is the syntax used here and what is its meaning? From where do these groups and role values come from? Why there are two = symbols in one line?

Thanks!

Sentry depends on an underlying authentication framework to reliably identify the requesting user, i.e. Kerberos or LDAP. This tells you what groups a user belongs to.

The Sentry configuration then defines roles. This is a level of indirection that lets you share/re-use sets of privileges across multiple groups.

Group(s) can be assigned to a role, thus giving the users in those groups the privileges associated with the role.

Privileges are defined on (typically) Hive tables or Solr collections. This can be done at several levels (server, database and/or table in the case of Hive, or collection in the case of Solr).

So the following line:

engineer_role = collection = source_code->action=*

should be interpreted to mean: The engineer role has one privilege, which is: for the "source_code" collection, allow all actions.

When put together with group information:

 [groups]
 engineer = engineer_role
 [roles]
 engineer_role = collection = source_code->action=*

This means that any user in the "engineer" group (as determined by your authentication framework) belongs to the "engineer_role" role, and thus can perform any action on the "source_code" collection in Solr.

There are more detailed examples in the Cloudera documentation (CDH 5.8):

• Policy File https://www.cloudera.com/documentation/enterprise/5-8-x/topics/cdh_sg_sentry.html
• Solr https://www.cloudera.com/documentation/enterprise/5-8-x/topics/search_sentry.html