We are very excited to announce that Apache Sentry has graduated out of Incubator and is now an Apache Top Level Project! Sentry, which provides centralized fine-grained access control on metadata and data stored in Apache Hadoop clusters, was introduced as an Apache Incubator project back in August 2013. In the past two and a half years, the development community grew significantly to a large number of contributors from various organizations. Upon graduation, there were more than 50 contributors, 31 of whom had become committers.

What’s Sentry

While Hadoop has strong security at the filesystem level, it lacked the granular support needed to adequately secure access to data by users and BI applications. This problem forces users to make a choice: either leave data unprotected or lock out users entirely. Most of the time, the preferred choice is the latter, severely inhibiting access to data in Hadoop. Sentry provides the ability to enforce role-based access control to data and/or privileges on data for authenticated users in a fine-grained manner. For example, Sentry’s SQL permissions allow access control at the server, database, table, view and even column scope at different privilege levels including select, insert, etc for Apache Hive and Apache Impala. With role-based authorization, precise levels of access could be granted to the right users and applications.

What’s new

During incubation, Sentry had six releases and has continued to grow on providing unified authorization policy management across different Hadoop components.  Some of them including:

  • Sentry allow for multiple permission models, and also enforcing the same permission model across multiple compute frameworks and data access paths.

  • Support for Solr (Search)

  • Synchronizing SQL table permissions with HDFS file permissions

  • Audit log support for data governance purposes

  • Sentry High Availability (HA)

  • Import/export tool for replicating permissions to other clusters

  • Support for Apache Kafka, Apache Solr and Apache Sqoop

Future Work

Graduation is a terrific milestone, but only the beginning for Sentry. We are looking forward to continuing to help grow the Sentry community and fostering a strong ecosystem around the project.

We are targeting significant enhancements across the areas of:

  • Ease of Sentry enablement and management of permissions

  • Feature parity with access control capabilities of mature relational database systems

  • Attribute-Based Access Control (ABAC), including permissions based on data sensitivity tags

  • Integration with additional hadoop ecosystem frameworks so that existing permissions can be enforced across additional access paths

How to Get Involved

The Sentry community now includes new core committers, an active developer mailing list where future releases and patches are discussed, and increasing interest in running additional frameworks on Sentry. We strongly encourage new people join Sentry and contribute through jumping on the discussions on the mailing list, filing bugs through Jira, reviewing other's’ code or even providing new patches.