Migrating File Based Sentry Policies to Sentry Server

  1. Install Sentry service 
  2. Remove the configuration for Hive or Impala to use Sentry Policy files:
In Cloudera Manager for Hive:
  1. Navigate to Hive > Configuration > Service-Wide > Policy File Based Sentry > Enable Sentry Authorization using Policy Files
  2. Uncheck the box.
In Cloudera Manager for Impala:
  1. Navigate to Impala > Configuration > Service-Wide > Policy File Based Sentry > Enable Sentry Authorization using Policy Files 
  2. Uncheck the box.
  1. Enable the Sentry Service:
In Cloudera Manager for Hive:
  1. Navigate to Hive > Configuration > Service-Wide > Sentry Service
  2. Click on the radio button for the Sentry Service
In Cloudera Manager for Impala:
  1. Navigate to Impala > Configuration > Service-Wide > Sentry Service
  2. Click on the radio button for the Sentry Service
  1. Stop the Sentry Service:
  1. Back up the Sentry database. The following steps will write data into the Sentry database.
  2. Import the settings by running the following commands on the node where HiveServer2 is running:
    1. ​Set HIVE_HOME location in order to have Sentry commands working.
This should contain bin/hive (typically /usr/lib/hive or under /opt/cloudera/parcels export HIVE_HOME=/usr/lib/hive).
export HIVE_HOME=/opt/cloudera/parcels/CDH/lib/hive
  1. Validate the existing Sentry Provider.INI file to make sure it does not have any errors using the example syntax here:
    sentry --hive-config /etc/hive/conf --command config-tool -s file:///etc/sentry/conf/sentry-site.xml -i hdfs://nameservice1/user/hive/sentry/sentry-provider.ini -v
Note : If you get error like below:
Sentry server: HS2 Found configuration problems ERROR: Error processing file hdfs://nameservice1/user/hive/sentry/sentry-provider.iniServer name server1 in server=server1 is invalid. Expected HS2 ERROR: Failed to process global policy file hdfs://nameservice1/user/hive/sentry/sentry-provider.ini
It implies, that Sentry is expecting its server name to be HS2 by default. So you would need to specify its server name as server1 (as specified in sentry-provider.ini file).
In order to do that, provide the below snippet in this value Sentry Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml and do a restart:
<property>
     <name>sentry.hive.server</name>
     <value>server1</value>
 </property>
 
Ensure that, the same is reflected in sentry-site.xml in /etc/sentry/conf/sentry-site.xml on the host where Sentry is installed. If it does not take effect, copy the sentry-site.xml from the Cloudera Manager process section and create a new sentry-site.xml in the home location with that information and reference it in the above syntax to validate as below.
  1. Set HIVE_CONF_DIR - This contains hive-site and sentry-site for Hive. For Cloudera Manager deployed systems it is set as follows:
    export HIVE_CONF_DIR="/var/run/cloudera-scm-agent/process/`ls -alrt /var/run/cloudera-scm-agent/process | grep HIVESERVER2 | tail -1 | awk '{print $9}'`"
  2. Run the Sentry config-tool:
    sentry --hive-config /etc/hive/conf --command config-tool --import --policyIni hdfs://nameservice1/user/hive/sentry/sentry-provider.ini -s file:///home/subbav/sentry-site.xml
    Important: The policy file should be fully qualified URI, For example:
hdfs://namenode:8020/user/hive/sentry/sentry-provider.ini or file:///local/data/sentry/sentry-provider.ini
sentry --command config-tool --import -i <Policy_file_URI>
  1. Start the Sentry Service
  2. Run commands in Beeline to test if privileges are set correctly.
No comments:
Subscribe to: Posts (Atom)