Exporting Sentry permissions
You must export the Sentry policies from CDH cluster to CDP cluster Ranger.
- SSH to the Sentry host of the source cluster.
Copy the file located here to the Sentry host and extract it to a suitable
tar -xvf authz_export.tar.gzLater, a directory named
authzmigratoris created which contains the following files:
Verify the SENTRY_SERVER process path
ps -ef | grep SENTRY_SERVER
Replace sentry-site.xml and core-site.xml in the extracted file with config
files from Sentry-run directory.
cp /var/run/cloudera-scm-agent/process/<process-id>-sentry-SENTRY_SERVER/sentry-site.xml authzmigrator/config/
cp /var/run/cloudera-scm-agent/process/<process-id>-sentry-SENTRY_SERVER/core-site.xml authzmigrator/config/
Update ‘Sentry.store.jdbc.user’ and sentry.store.jdbc.password in
sentry-site.xml.The mandatory values are the Sentry "database user" and "database user password" in clear text.
Remove the property hadoop.security.credential.provider.path in
Update the value for the property fs.defaultFS to
file:/// in core-site.xml.
Make sure that the following configurations are updated in
authorization-migration-site.xmlpresent in the
- authorization.migration.export.target_services= HIVE,KAFKA should have a list of services for which permissions are needed to export the Sentry permissions. Valid values: HIVE, KAFKA
- authorization.migration.export.output_file=<path> should be updated to the absolute location of the file where permissions should be exported
To set up role based permissions, you must add the following properties:
</property>An example property file:
Run the script:
sh authz_export.shExporting the permissions is completed.
SCP the exported JSON to the target cluster. For more information about logging
into CDP One clusters, see Using SSH to access the cluster.
scp <exported json> root@<target_clustert>:/root