Exporting Permissions from Sentry Server

Use the authzmigrator tool to export the Sentry permissions from the Sentry server on the source cluster to a file.

During side-by-side migration (side-car migration), you can use the authzmigrator tool to migrate the Hive object and URL permissions and Kafka permissions to Ranger.
  1. Download the authz_export.tar.gz file and extract it. For information about downloading the file, contact Cloudera Support.
    The authz_export.tar.gz file contains directories named jars and config. It also has an authz_export.sh file. The config directory contains default configurations that you can use for reference.
  2. Replace the sentry-site.xml and core-site.xml in the config directory with the configuration files from the Sentry directory on the Sentry server in the source cluster.
    For example, the Sentry directory on the source cluster is located in the /var/run/cloudera-scm-agent/process/<sentry-service>/ location.
  3. Edit the sentry-site.xml file to perform the following steps:
    1. Update the database username and password for the Sentry database with the following credentials:

      sentry.store.jdbc.user

      sentry.store.jdbc.password

    2. Remove the hadoop.security.credential.provider.path property in the file.
  4. Edit the core-site.xml file to perform the following steps:
    1. Update the value for the property fs.defaultFS to file:///.
    2. Remove the hadoop.security.credential.provider.path property in the file.
  5. In the authorization-migration-site.xml file in the config directory, perform the following steps:
    1. Make sure that the authorization.migration.export.target_services property has the list of services for which the permissions are to be exported.
      Valid values include: HIVE KAFKA
    2. Update the information in the authorization.migration.export.output_file property to the absolute location of the file where permissions should be exported.
  6. Verify whether the Java execution path for the Sentry server and the JAVA_HOME property in the authz_export.sh script matches. To verify the path and property, perform the following tasks:
    1. To locate the Java execution path that Sentry server uses, run the ps aux | grep org.apache.sentry.SentryMain command.
    2. If the path is not /user/java/default/bin/java, edit the authz_export.sh script, add the path that the Sentry server uses to the JAVA_HOME property, and save the file.
      For example, if the Sentry server uses the /usr/java/jdk1.8.0_141-cloudera/bin/java path, change the JAVA_HOME property in the authz_export.sh script to /usr/java/jdk1.8.0_141-cloudera.
  7. Run the authz_export.sh script using the sh authz_export.sh command.
    $ sh authz_export.sh
    log4j:WARN No such property [conversionPattern] in org.apache.solr.util.SolrLogLayout.
    389 T1 cceacv.CommonConfigurationValidator.validateServiceAndAuthzObjects No migration objects specified. Migrate all privileges
    451 T1 cceacv.CommonConfigurationValidator.validatePathScheme No matching schemes with [[file, hdfs, s3a, s3, abfs]]. Use default scheme [file]
    806 T1 odu.Log4JLogger.info Property datanucleus.cache.level2 unknown - will be ignored
    3066 T1 odu.Log4JLogger.warn WARN Metadata has jdbc-type of null yet this is not valid. Ignored
    4266 T1 ccea.PolicyStore.lambda$fetchPermissionInfo$1 Fetching permissions for all SQL objects for service type [HIVE]
    4375 T1 ccea.PolicyStore.fetchDbPermissionInfo Total privileges retrieved [8]
    4401 T1 ccea.PolicyStore.lambda$getRoleGroupMap$4 Fetched 3 roles
    4403 T1 ccea.PolicyStore.lambda$getRoleGroupMap$4 Roles to group mapping retrieved [3]
    4479 T1 ccea.PolicyStore.fetchKafkaPermissionInfo No privileges retrieved for export
    4484 T1 ccea.SentryExportTask.constructPolicyList [Completed] Constructing policy list
    4561 T1 ccea.FSClient.write [Started] Writing policy information to /opt/backup/permissions.json
    4578 T1 oahu.NativeCodeLoader.<clinit> WARN Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
    4596 T1 ccea.FSClient.write [Completed] Writing policy information to /opt/backup/permissions.json
    4597 T1 ccea.SentryExportTask.execute Exporting permission information to location /opt/backup/permissions.json successful
    4597 T1 ccea.Main.main Exporting the permissions is complete
    The permissions are exported to the /opt/backup/permissions.json file.
You can ingest the permissions into Ranger.