Exporting Permissions from Sentry Server
Use the authzmigrator tool to export the Sentry permissions from the Sentry server on the source cluster to a file.
-
Download the authz_export.tar.gz file and extract it. For
information about downloading the file, contact Cloudera
Support.
The authz_export.tar.gz file contains directories named jars and config. It also has an authz_export.sh file. The config directory contains default configurations that you can use for reference.
-
Replace the sentry-site.xml and
core-site.xml in the config
directory with the configuration files from the Sentry directory on the Sentry
server in the source cluster.
For example, the Sentry directory on the source cluster is located in the /var/run/cloudera-scm-agent/process/<sentry-service>/ location.
-
Edit the sentry-site.xml file to perform the following
steps:
-
Update the database username and password for the Sentry database with
the following credentials:
sentry.store.jdbc.user
sentry.store.jdbc.password
- Remove the hadoop.security.credential.provider.path property in the file.
-
Update the database username and password for the Sentry database with
the following credentials:
- In the core-site.xml file, update the value for the property fs.defaultFS to file:///.
-
In the authorization-migration-site.xml file in the
config directory, perform the following steps:
-
Make sure that the
authorization.migration.export.target_services
property has the list of services for which the permissions are to be
exported.
Valid values include: HIVE KAFKA
- Update the information in the authorization.migration.export.output_file property to the absolute location of the file where permissions should be exported.
-
Make sure that the
authorization.migration.export.target_services
property has the list of services for which the permissions are to be
exported.
-
Verify whether the Java execution path for the Sentry server and the JAVA_HOME
property in the authz_export.sh script matches. To verify
the path and property, perform the following tasks:
- To locate the Java execution path that Sentry server uses, run the ps aux | grep org.apache.sentry.SentryMain command.
-
If the path is not /user/java/default/bin/java,
edit the authz_export.sh script, add the path that
the Sentry server uses to the JAVA_HOME property,
and save the file.
For example, if the Sentry server uses the /usr/java/jdk1.8.0_141-cloudera/bin/java path, change the JAVA_HOME property in the authz_export.sh script to /usr/java/jdk1.8.0_141-cloudera.
-
Run the authz_export.sh script using the sh
authz_export.sh command.
The permissions are exported to the /opt/backup/permissions.json file.