I have a cluster running with cdh-5.7.0 and configured the following setup

• hadoop with kerberos
• hive with LDAP authentication
• hive with sentry authorization (rules stored in JDBC derby)

My goal is to restrict users to see which databases exist in my system. E.g.:

• User-A should only see database DB-A when execute show databases
• User-B should only see database DB-B when execute show databases

I followed the article https://blog.cloudera.com/blog/2013/12/how-to-get-started-with-sentry-in-hive/ to make that happen. But without success. What I achieved was that

• User-A can only select tables from DB-A and not from DB-B.
• User-B can only select tables from DB-B and not from DB-A.

But both can still see DB-A and DB-B when executing show databases. But i want to avoid this.

Any hints from you how the rules or the setup could looks like to get that running?

Thanks Marko

According your description and from what I've learned from existing setups, in case of Sentry v1.6+ you need to add the following property to your hive-site.xml:

<property>
  <name>hive.metastore.filter.hook</name>
  <value>org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook</value>
</property>

Even if you are on CDH 5.7, the MapR 5 documentation is providing some context. As well Sentry Service Interactions.

After re-starting the Hive service you should be able to see the result which you are expecting.