Hive access control with Apache Sentry#

Apache Sentry is a granular, role-based authorization module for Hadoop. Sentry provides the ability to control and enforce precise levels of privileges on data for authenticated users and applications.

Sentry can be used to control access to data accessible in Presto by any catalog using the Hive connector. Sentry and the Hive connector integration enforce the same and existing privileges granted on Hive objects. Presto enforces privileges assigned to Hive catalogs, schemas/databases, tables, columns, and views.


Hive level security with Apache Sentry requires a valid Starburst Enterprise Presto license.


The Hive access control with Apache Sentry is limited to usage with the Hive connector only. We suggest to replace it with the more powerful global access control with Apache Ranger. It is capable of securing catalogs using any connectors.


Before you configure Presto with Apache Sentry, verify the following prerequisites:

  • CDH 5.12+ with Apache Sentry and Hive installed. CDH 6.x is not supported.

  • Presto coordinator and workers have the appropriate network access to communicate with the Apache Sentry Service. Typically this is port 8038.

  • If LDAP is used for user to groups mapping, Presto coordinator and workers have the appropriate network access to communicate with the LDAP server. Typically this is port 636 or 389.

If you are new to Apache Sentry, Cloudera provides excellent documentation for installing and configuring Apache Sentry.

How it works#

When a query is submitted to Presto, Presto parses and analyzes the query to understand the privileges required by the user to access a particular object. Presto communicates with the Apache Sentry Service to determine, if the request is valid. If the request is valid, the query continues to execute. If the request is invalid, because the user does not have the necessary privileges to query an object, an error is returned to the user.

Group mapping#

Sentry manages role permissions and the roles to user groups associations. Sentry does not manage users to user groups associations. For this reason, any application using Sentry needs to be configured to be able to determine a user’s groups. In Presto, the property specifies how the user groups are determined. By default it is set to HADOOP_DEFAULT.

Find more information in the documentation from Cloudera.


It may be desired to reuse your existing sentry-site.xml configuration instead of setting new configurations in the Hive catalog. To have Presto use an XML configuration file, set sentry.config.resources to the file location of a sentry-site.xml configuration file.

When using HADOOP_DEFAULT group mapping and sentry.config.resources is set, and the provided file(s) contain a value for, the configured user group mapping is used. If you do not set sentry.config.resources Presto uses Hadoop’s default behavior, which is to retrieve user groups from the local operating system. Similarly, when using LDAP group mapping, and you provide Hadoop configuration files using sentry.config.resources property, you can abstain from setting LDAP group mapping properties in the Hive catalog.


There is some latency associated with making the remote procedure calls to Apache Sentry, as well as syncing LDAP groups. To improve performance and reduce the number of requests to the Sentry service, Presto includes a caching mechanism so that subsequent calls can look at the cache before making the remote call.

See the properties table in this document for the cache properties along with their default values. Depending on your use case, you may want to increase or decrease the default TTL values.

ROLES in Presto#

When using Apache Sentry, setting a role makes that role active, and the user only has those privileges applied to that role. By default all assigned roles are active, and the user has the combined privileges of these roles.

See SET ROLE and SHOW ROLES for additional information.

Configuring Presto with Apache Sentry#

Apache Sentry configuration#

As with Hive, Impala, Spark, and Hue, you must create an admin group for Presto named presto. You can do this via the Cloudera Manager, or manually by adding to the property, in the sentry-site.xml file. The user of the Presto process should belong to this group. Additionally you must add the Presto user (from sentry.client-principal) to sentry.service.allow.connect in sentry-site.xml.

Presto configuration#

SEP must be configured to enable Presto to communicate with the Apache Sentry service. To enable set the following property in the Hive catalog:

When sentry security is enabled, Presto enforces the same SQL-standard-based authorization as Hive does when Sentry is enabled for Hive. Once Apache Sentry is enabled, there are additional required and optional properties to configure.


Presto does not support any modification of authorization policies in Sentry.

The following is a sample of a Hive catalog properties file that is configured to use Apache Sentry for authorization. It utilizes Kerberos for authentication and LDAP for group mapping.






Accessing authorization information#

Sentry authorization information can be accessed by querying the following tables:

  • information_schema.roles - return information about all existing roles (equivalent of SHOW ROLES)

  • information_schema.applicable_roles - return roles that are granted to current user

  • information_schema.enabled_roles - return a list of roles that currently user is using at the moment (equivalent of SHOW CURRENT USER)

  • information_schema.table_privileges - return all tables privileges granted to user according to currently enabled roles


  • If you get the exception GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) then you need to make sure you are using proper sentry.service-principal.

  • If you get an SentryAccessDeniedException exception then make sure the user that you set for sentry.admin-user belongs to any group listed by in sentry-site.xml.

  • If Presto is not capable to connect to Kerberized Sentry and you get an exception Peer indicated failure: Problem with callback handler make sure that you added the Presto user (from sentry.client-principal) to sentry.service.allow.connect in sentry-site. Additionally, make sure the letter casing matches.

  • Make sure that your sentry.server value is correct. It is not an IP or Hostname. It is server object name in Sentry.

Configuration properties#

Sentry configuration properities#





The name of the server object in Sentry that Presto uses to find authorization rules. This should be set to value of hive.sentry.server from Hive’s configuration XML files.


Admin user of Apache Sentry that has ALL access to server object. It is a user that belongs to any group that are mentioned in property in sentry-site.xml Sentry service configuration file.


Address on which sentry RPC is available.


Port at which Sentry is listening.


Authentication method that will be used when connecting to Sentry service. Possible values are NONE or KERBEROS.


Sentry service Kerberos principal that will be used to authenticate the Sentry service. This property is only used when sentry.authentication-type=KERBEROS.


Sentry client Kerberos principal that will be used to authenticate the client when connecting to Sentry service. The primary part of this principal (user) should be included in sentry.service.allow.connect property in sentry-site.xm' Sentry service configuration file. This property is only used when sentry.authentication-type=KERBEROS.


Sentry client Kerberos keytab file location that will be used to authenticate the client when connecting to to Sentry service. This property is only used when sentry.authentication-type=KERBEROS.


Period where information returned by Sentry will be cached in Presto. 0ms disables the cache.


Defines the way how user group are determined. Possible values are:

  • HADOOP_DEFAULT user groups will be retrieved from hadoop client library. You may want to use sentry.config.resources to customize this behaviour.

  • SYSTEM user groups will be retrieved from operating system that Presto is running on

  • LDAP user groups will be retrieved from LDAP.


Address of LDAP service when


LDAP user name when


LDAP user password when

Configures the search base for the LDAP connection when


Additional filters to apply when when searching for users when

Additional filters to apply when finding relevant groups when

LDAP attribute to use for determining group membership when

LDAP attribute to use for identifying a group’s name when

Period where group mapping information will be cached in Presto. 0ms disables the cache.


Period where information about empty group will be cached in Presto. 0ms disables the cache.


Additional XML configuration files which will be read before applying Presto Sentry configuration. Useful for reusing existing sentry-site.xml configuration files.


Presto only enforces the Apache Sentry policies. Presto does not support any modification of authorization policies in Sentry. This includes commands like CREATE ROLE, GRANT, or REVOKE. If you need to modify the roles and privileges, that must be done via another tool such as Apache Hive or Hue.

Sentry Policy Files are also not supported.