All of these are hooks in various services, where there is a Sentry client plugged in as a hook. Please note that, below hooks are for V1:

HS2:

Executed at beginning of each new session: All beeline commands

Hive.server2.session.hook

=org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook


Metastore hook class for further filtering the metadata read results on client side: Show tables/databases through beeline

hive.metastore.filter.hook

=org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook

 

For Grant/Revoke commands: Validation and authz (SentryGrantRevokeTask)

hive.security.authorization.task.factory

=org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl

Other:

SentryHiveMetaStoreClient: Filters (TODO: What is its intended purpose as compared to SentryMetaStoreFilterHook?)

HMS:

hive.metastore.pre.event.listeners

=org.apache.sentry.binding.metastore.MetastoreAuthzBinding

HMS writes, adds ip/op hierarchies and calls authz binding


hive.metastore.event.listeners

=org.apache.sentry.binding.metastore.SentryMetastorePostEventListener

  • For propagating create/drop/rename events

  • For path updates for HDFS plugin

sentry.metastore.plugins

=org.apache.sentry.hdfs.MetastorePlugin (called by PostEventListener)

  • For path updates for hdfs sync

NN (active & standby):

dfs.namenode.authorization.provider.class

=org.apache.sentry.hdfs.SentryAuthorizationProvider


  • No labels