- Install Sentry service
- Remove the configuration for Hive or Impala to use Sentry Policy files:
In Cloudera Manager for Hive:
- Navigate to Hive > Configuration > Service-Wide > Policy File Based Sentry > Enable Sentry Authorization using Policy Files
- Uncheck the box.
In Cloudera Manager for Impala:
- Navigate to Impala > Configuration > Service-Wide > Policy File Based Sentry > Enable Sentry Authorization using Policy Files
- Uncheck the box.
- Enable the Sentry Service:
In Cloudera Manager for Hive:
- Navigate to Hive > Configuration > Service-Wide > Sentry Service
- Click on the radio button for the Sentry Service
In Cloudera Manager for Impala:
- Navigate to Impala > Configuration > Service-Wide > Sentry Service
- Click on the radio button for the Sentry Service
- Stop the Sentry Service:
- Back up the Sentry database. The following steps will write data into the Sentry database.
- Import the settings by running the following commands on the node where HiveServer2 is running:
- Set HIVE_HOME location in order to have Sentry commands working.
This should contain bin/hive (typically /usr/lib/hive or under /opt/cloudera/parcels export HIVE_HOME=/usr/lib/hive).
export HIVE_HOME=/opt/cloudera/parcels/CDH/lib/hive
- Validate the existing Sentry Provider.INI file to make sure it does not have any errors using the example syntax here:
sentry --hive-config /etc/hive/conf --command config-tool -s file:///etc/sentry/conf/sentry-site.xml -i hdfs://nameservice1/user/hive/sentry/sentry-provider.ini -v
Note : If you get error like below:
Sentry server: HS2 Found configuration problems ERROR: Error processing file hdfs://nameservice1/user/hive/sentry/sentry-provider.iniServer name server1 in server=server1 is invalid. Expected HS2 ERROR: Failed to process global policy file hdfs://nameservice1/user/hive/sentry/sentry-provider.ini
It implies, that Sentry is expecting its server name to be HS2 by default. So you would need to specify its server name as server1 (as specified in sentry-provider.ini file).
In order to do that, provide the below snippet in this value Sentry Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml and do a restart:
<property> <name>sentry.hive.server</name> <value>server1</value> </property>
Ensure that, the same is reflected in sentry-site.xml in /etc/sentry/conf/sentry-site.xml on the host where Sentry is installed. If it does not take effect, copy the sentry-site.xml from the Cloudera Manager process section and create a new sentry-site.xml in the home location with that information and reference it in the above syntax to validate as below.
- Set HIVE_CONF_DIR - This contains hive-site and sentry-site for Hive. For Cloudera Manager deployed systems it is set as follows:
export HIVE_CONF_DIR="/var/run/cloudera-scm-agent/process/`ls -alrt /var/run/cloudera-scm-agent/process | grep HIVESERVER2 | tail -1 | awk '{print $9}'`"
- Run the Sentry config-tool:
sentry --hive-config /etc/hive/conf --command config-tool --import --policyIni hdfs://nameservice1/user/hive/sentry/sentry-provider.ini -s file:///home/subbav/sentry-site.xml
Important: The policy file should be fully qualified URI, For example:
hdfs://namenode:8020/user/hive/sentry/sentry-provider.ini or file:///local/data/sentry/sentry-provider.ini sentry --command config-tool --import -i <Policy_file_URI>
- Start the Sentry Service
- Run commands in Beeline to test if privileges are set correctly.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.