Introduction
Cloudera flavour of Hadoop uses Sentry for authorization and Ranger is being used by Hortonworks. Let us now dive into each of these authorization mechanisms.
Implementing Authorization in Cloudera Using Sentry
How can you implement authorization in Cloudera using Sentry?
- Consider an example where Alice and Bob belong to an Active Directory (AD) group called the finance department. Bob also belongs to a group called: finance-managers. This is an implementation of an authentication protocol.
- In Sentry, you create roles and grant privileges to these roles. Here, for example, you create two roles: Analyst and Admin. We can grant SELECT access to the Analyst role for Customer and Sales tables and SELECT, UPDATE, DELETE and INSERT access to the Admin role for Customer and Sales tables. This is an implementation of the authorization protocol.
- Now, we can join these authentication and authorization entities and provide actual access to these users. For example, granting an Analyst role to the group finance department and granting an Admin role to finance managers.
Security Procedures in Hortonworks Using Ranger
Let us now have a look at security procedures that we can implement in Hortonworks using Ranger:
- Ranger provides a centralized platform to define, administer and manage security policies consistently across Hadoop components.
- Ranger has a UI, and it offers a centralized security framework across HDFS, Hive, HBase, Storm, Knox, Solr, Kafka, NiFi, and YARN.
- Using the Ranger console, you can easily manage policies for access to files, folders, databases, tables, and columns.
- Ranger Key Management Service (KMS) provides scalable cryptographic Key Management service for HDFS “data at REST”.
Ranger vs. Sentry: What to Choose for Security Implementation?
So, what to choose for security implementation for my cluster now? Ranger or Sentry? A few years back you would not have this option. Do you know why? Because if you use Cloudera then you opt for Sentry and if you use Hortonworks you go for Ranger.
Now however things have changed as on 3 January 2019 Cloudera Inc. announced its merger with Hortonworks Inc. People who have worked on both have a say on this question and they say that Sentry was the weak link in the Cloudera offering. Let us see why:
Below are some of the differences between services offered by Ranger and Sentry:
Conclusion
As you can see, Ranger supports more features and integrates with more Hadoop components as compared to Sentry.
Hence, after the merger, it is believed that Sentry is deprecated and will be replaced by Ranger.
Leave a Reply