Exporting Sentry permissions

SSH to the Sentry host of the source cluster.

Copy the file located here to the Sentry host and extract it to a suitable location.

tar -xvf authz_export.tar.gz

Later, a directory named authzmigrator is created which contains the following files:

Verify the SENTRY_SERVER process path

ps -ef | grep SENTRY_SERVER

Replace sentry-site.xml and core-site.xml in the extracted file with config files from Sentry-run directory.  For example,

cp /var/run/cloudera-scm-agent/process/<process-id>-sentry-SENTRY_SERVER/sentry-site.xml authzmigrator/config/
cp /var/run/cloudera-scm-agent/process/<process-id>-sentry-SENTRY_SERVER/core-site.xml authzmigrator/config/

Update ‘Sentry.store.jdbc.user’ and sentry.store.jdbc.password in sentry-site.xml.

The mandatory values are the Sentry "database user" and "database user password" in clear text.

Remove the property hadoop.security.credential.provider.path in sentry-site.xml.

Update the value for the property fs.defaultFS to

file:/// in
                        core-site.xml

.

Make sure that the following configurations are updated in

authorization-migration-site.xml present in the authzmigrator/config/

- authorization.migration.export.target_services= HIVE,KAFKA should have a list of services for which permissions are needed to export the Sentry permissions. Valid values: HIVE, KAFKA
- authorization.migration.export.output_file=<path> should be updated to the absolute location of the file where permissions should be exported

To set up role based permissions, you must add the following properties:

<property>

<name>authorization.migration.role.permissions</name>

<value>true</value>

</property>

An example property file:

Export JAVA_HOME variable

Run the script:

cd authzmigrator/

sh authz_export.sh

Exporting the permissions is completed.

SCP the exported JSON to the target cluster. For more information about logging into CDP One clusters, see Using SSH to access the cluster.

scp <exported json> root@<target_clustert>:/root