Forge Home


Apache Sentry Setup


8,237 latest version

4.6 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.0 (latest)
released Oct 23rd 2015
This version is compatible with:
  • , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'cesnet-sentry', '0.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add cesnet-sentry
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install cesnet-sentry --version 0.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



cesnet/sentry — version 0.1.0 Oct 23rd 2015

Apache Sentry Puppet Module

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Setup - The basics of getting started with sentry
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Development - Guide for contributing to the module

Module Description

This puppet module installs and setup Apache Sentry - system for enforcing fine grained role based authorization to data and metadata stored on a Hadoop cluster.


What sentry affects

  • Alternatives:
  • sentry-conf
  • Files:
  • /etc/sentry/conf/sentry-site.xml
  • JDBC jars in /usr/lib/sentry/lib (if needed)
  • startup skript: workaround for packaging error (tested with Cloudera CDH 5.4.7)
  • Packages: sentry, sentry-store
  • Services: sentry-store

Setup Requirements

  • repositories set
  • Java JRE installed
  • Hadoop cluster with enabled Kerberos security
  • for Hive: security enabled (Hive Server 2: LDAP or Kerberos, Hive Metastore: Kerberos)
  • for Impala: security enabled (Kerberos or LDAP)


Basic usage

include ::sentry
include ::sentry::client
include ::sentry::server

Sentry with MySQL

  db          => 'mysql',
  db_password => 'sentrypassword',

node default {
  include ::sentry::client
  include ::sentry::server

  class { 'mysql::server':
    root_password  => 'strongpassword',

  mysql::db { 'sentry':
    user     => 'sentry',
    password => 'sentrypassword',
    host     => 'localhost',
    grant    => ['ALTER', 'CREATE', 'SELECT', 'INSERT', 'UPDATE', 'DELETE'],

  class { 'mysql::bindings':
    java_enable => true,

  Mysql::Db['sentry'] -> Class['::sentry::server::config']
  Class['mysql::bindings'] -> Class['::sentry::server::config']

Sentry with PostgreSQL

  db          => 'postgresql',
  db_password => 'sentrypassword',

node default {
  include ::sentry::client
  include ::sentry::server

  class { 'postgresql::server':
    postgres_password  => 'strongpassword',

  postgresql::server::db { 'sentry':
    user     => 'sentry',
    password => postgresql_password('sentry', 'sentrypassword'),

  include postgresql::lib::java

  Postgresql::Server::Db['sentry'] -> Class['::sentry::server::config']
  Class['postgresql::lib::java'] -> Class['::sentry::server::config']


  • sentry: Apache Sentry setup
  • sentry::client: Sentry client
  • sentry::server: Sentry store

sentry class

Apache Sentry Setup.


Switches the alternatives used for the configuration. Default: 'cluster' (Debian) or undef.

Use it only when supported (for example with Cloudera distribution).


List of groups allowed to make policy updates. Default: ['sentry'].


Database for the sentry store service. Default: undef.

The default is embedded database (derby).


  • derby: embedded database
  • mysql: MySQL/MariaDB,
  • postgresql: PostgreSQL
  • oracle: Oracle


Database hostname for mysql, postgresql, and oracle. Default: 'localhost'.

It can be overridden by property.


Database name for mysql and postgresql. Default: 'sentry'.

For oracle 'xe' schema is used. Can be overridden by property.


Database user for mysql, postgresql, and oracle. Default: 'sentry'.

It can be overridden by property.


Database password for mysql, postgresql, and oracle. Default: undef.

It can be overriden by property.


Keytab file for Sentry. Default: '/etc/security/keytab/sentry.service.keytab'.

This will set also property sentry.service.server.keytab, if not specified directly.


Additional properties for sentry. Default: undef.

"::undef" property value will remove given property set automatically by this module, empty string sets the empty value.


Enables security. Default: undef.

The value is the Kerberos realm to use.

With security there is required:

  • /etc/security/keytab/sentry.service.keytab (according to the keytab parameter)