Role Based Access Control in Sqoop2

Brief Introduction

Sqoop 2 has recently added several security features in Sqoop 1.99.6 release, that enables its use in environments where security concerns have to be addressed, this includes:

  1. Simple authorization
  2. 3rd party authorization through Sentry

This blog post will detail how to setup Sqoop2 with role based access control.

Role based access control development in Sqoop2 was a co-engineering effort of Intel and Cloudera.

Simple Authorization

 

Configuration

Set the following configuration properties in sqoop.properties, normally in <Sqoop Folder>/server/config/sqoop.properties.

org.apache.sqoop.security.authorization.handler=org.apache.sqoop.security.authorization.DefaultAuthorizationHandler
org.apache.sqoop.security.authorization.access_controller=org.apache.sqoop.security.authorization.DefaultAuthorizationAccessController
org.apache.sqoop.security.authorization.validator=org.apache.sqoop.security.authorization.DefaultAuthorizationValidator
org.apache.sqoop.security.authorization.authentication_provider=org.apache.sqoop.security.authorization.DefaultAuthenticationProvider
org.apache.sqoop.security.authorization.server_name=SqoopServer1
  • As it is by default, if all authentication configurations are commented, it still works.

Run command

Start Sqoop server and client

<Sqoop Folder>/bin/sqoop.sh server start
<Sqoop Folder>/bin/sqoop.sh client

Comment

The default authorization handler, access controller and validator will not do any the privileges check, except adding a script in the log file.

Apache Sentry Integration

 

Setting up Sentry in Sqoop2 is a breeze. It can be achieve in 5 steps:

1. Setup Sentry

Install and run Sentry Service:

sentry --command service –c sentry-site.xml

Check out the Apache Sentry site for more information on setting up Sentry.

2. Configuration

Set the following configuration properties in sqoop.properties, normally in <Sqoop Folder>/server/config/sqoop.properties.

org.apache.sqoop.security.authorization.handler=org.apache.sqoop.security.authorization.SentryAuthorizationHandler
org.apache.sqoop.security.authorization.access_controller=org.apache.sqoop.security.authorization.SentryAuthorizationAccessController
org.apache.sqoop.security.authorization.validator=org.apache.sqoop.security.authorization.SentryAuthorizationValidator
org.apache.sqoop.security.authorization.authentication_provider=org.apache.sqoop.security.authorization.DefaultAuthenticationProvider
org.apache.sqoop.security.authorization.server_name=SqoopServer1

3. Add Sentry client jar

Copy Sentry-client.jar into <Sqoop Folder>/server/war/sqoop/WEB-INF/lib/

4. Run command

Start Sqoop server and client

<Sqoop Folder>/bin/sqoop.sh server start
<Sqoop Folder>/bin/sqoop.sh client

5. Verify

Now that you have Sqoop2 server running with Sentry integration. Try out a command:

show role

Summary

We hope you enjoy the new role based access control and Sentry integration in Sqoop2. If you have any questions, reach out to us at team@ingest.tips.

Tweet about this on TwitterShare on FacebookShare on LinkedIn


'Role Based Access Control in Sqoop2' has no comments

Be the first to comment this post!

Would you like to share your thoughts?

Your email address will not be published.