Forge Home


Apache Sentry Setup


7,924 latest version

4.6 quality score

Version information

  • 0.1.0 (latest)
released Oct 23rd 2015
This version is compatible with:
  • , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'cesnet-sentry', '0.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add cesnet-sentry
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install cesnet-sentry --version 0.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



cesnet/sentry — version 0.1.0 Oct 23rd 2015

Apache Sentry Puppet Module

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Setup - The basics of getting started with sentry
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Development - Guide for contributing to the module

Module Description

This puppet module installs and setup Apache Sentry - system for enforcing fine grained role based authorization to data and metadata stored on a Hadoop cluster.


What sentry affects

  • Alternatives:
  • sentry-conf
  • Files:
  • /etc/sentry/conf/sentry-site.xml
  • JDBC jars in /usr/lib/sentry/lib (if needed)
  • startup skript: workaround for packaging error (tested with Cloudera CDH 5.4.7)
  • Packages: sentry, sentry-store
  • Services: sentry-store

Setup Requirements

  • repositories set
  • Java JRE installed
  • Hadoop cluster with enabled Kerberos security
  • for Hive: security enabled (Hive Server 2: LDAP or Kerberos, Hive Metastore: Kerberos)
  • for Impala: security enabled (Kerberos or LDAP)


Basic usage

include ::sentry
include ::sentry::client
include ::sentry::server

Sentry with MySQL

  db          => 'mysql',
  db_password => 'sentrypassword',

node default {
  include ::sentry::client
  include ::sentry::server

  class { 'mysql::server':
    root_password  => 'strongpassword',

  mysql::db { 'sentry':
    user     => 'sentry',
    password => 'sentrypassword',
    host     => 'localhost',
    grant    => ['ALTER', 'CREATE', 'SELECT', 'INSERT', 'UPDATE', 'DELETE'],

  class { 'mysql::bindings':
    java_enable => true,

  Mysql::Db['sentry'] -> Class['::sentry::server::config']
  Class['mysql::bindings'] -> Class['::sentry::server::config']

Sentry with PostgreSQL

  db          => 'postgresql',
  db_password => 'sentrypassword',

node default {
  include ::sentry::client
  include ::sentry::server

  class { 'postgresql::server':
    postgres_password  => 'strongpassword',

  postgresql::server::db { 'sentry':
    user     => 'sentry',
    password => postgresql_password('sentry', 'sentrypassword'),

  include postgresql::lib::java

  Postgresql::Server::Db['sentry'] -> Class['::sentry::server::config']
  Class['postgresql::lib::java'] -> Class['::sentry::server::config']


  • sentry: Apache Sentry setup
  • sentry::client: Sentry client
  • sentry::server: Sentry store

sentry class

Apache Sentry Setup.


Switches the alternatives used for the configuration. Default: 'cluster' (Debian) or undef.

Use it only when supported (for example with Cloudera distribution).


List of groups allowed to make policy updates. Default: ['sentry'].


Database for the sentry store service. Default: undef.

The default is embedded database (derby).


  • derby: embedded database
  • mysql: MySQL/MariaDB,
  • postgresql: PostgreSQL
  • oracle: Oracle


Database hostname for mysql, postgresql, and oracle. Default: 'localhost'.

It can be overridden by property.


Database name for mysql and postgresql. Default: 'sentry'.

For oracle 'xe' schema is used. Can be overridden by property.


Database user for mysql, postgresql, and oracle. Default: 'sentry'.

It can be overridden by property.


Database password for mysql, postgresql, and oracle. Default: undef.

It can be overriden by property.


Keytab file for Sentry. Default: '/etc/security/keytab/sentry.service.keytab'.

This will set also property sentry.service.server.keytab, if not specified directly.


Additional properties for sentry. Default: undef.

"::undef" property value will remove given property set automatically by this module, empty string sets the empty value.


Enables security. Default: undef.

The value is the Kerberos realm to use.

With security there is required:

  • /etc/security/keytab/sentry.service.keytab (according to the keytab parameter)