Transitioning from Sentry Policy Files to the Sentry Service

If your cluster uses Sentry policy file authorization, you must transition the policy files to the database-backed Sentry service before you upgrade to CDH 6 or CDP Private Cloud Base 7.1.

Complete the following steps to upgrade from Sentry policy files to the database-backed Sentry service:

Minimum Required Role: Cluster Administrator (also provided by Full Administrator) This feature is not available when using Cloudera Manager to manage Data Hub clusters.

  1. Disable the existing Sentry policy file for any Hive, Impala, or Solr services on the cluster. To do this:
    1. Go to the Hive, Impala, or Solr service.
    2. Click the Configuration tab.
    3. Select Scope > Service Name (Service-Wide).
    4. Select Category > Policy File Based Sentry.
    5. Clear Enable Sentry Authorization using Policy Files. Cloudera Manager throws a validation error if you attempt to configure the Sentry service while this property is checked.
    6. Repeat for any remaining Hive, Impala, or Solr services.
  2. Add the new Sentry service to your cluster. For instructions, see Installing and Upgrading the Sentry Service.
  3. To begin using the Sentry service, see Configuring the Sentry Service
  4. (Optional) Use command line tools to transition existing policy file grants.
    • If you want to transition existing Sentry configurations for Solr, use the solrctl sentry --convert-policy-file command, described in solrctl Reference.
    • For Hive and Impala, use the command-line interface Beeline to issue grants to the Sentry service to match the contents of your old policy file(s). For more details on the Sentry service and examples on using Grant/Revoke statements to match your policy file, see Hive SQL syntax for use with Sentry.
  5. Restart the affected services to apply the changes.