[SOLVED] Configure Sentry to show/hide different databases for different users

Configure Sentry to show/hide different databases for different users

I have a cluster running with cdh-5.7.0 and configured the following setup

hadoop with kerberos
hive with LDAP authentication
hive with sentry authorization (rules stored in JDBC derby)

My goal is to restrict users to see which databases exist in my system. E.g.:

User-A should only see database DB-A when execute show databases
User-B should only see database DB-B when execute show databases

I followed the article https://blog.cloudera.com/blog/2013/12/how-to-get-started-with-sentry-in-hive/ to make that happen. But without success. What I achieved was that

User-A can only select tables from DB-A and not from DB-B.
User-B can only select tables from DB-B and not from DB-A.

But both can still see DB-A and DB-B when executing show databases. But i want to avoid this.

Any hints from you how the rules or the setup could looks like to get that running?

Thanks Marko

Solution

According your description and from what I've learned from existing setups, in case of Sentry v1.6+ you need to add the following property to your hive-site.xml:

<property>
  <name>hive.metastore.filter.hook</name>
  <value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value>
</property>

Even if you are on CDH 5.7, the MapR 5 documentation is providing some context. As well Sentry Service Interactions.

After re-starting the Hive service you should be able to see the result which you are expecting.