Cloudera Docs

Exporting Permissions from Sentry Server

Use the authzmigrator tool to export the Sentry permissions from the Sentry server on the source cluster to a file.

During side-by-side migration (side-car migration), you can use the authzmigrator tool to migrate the Hive object and URL permissions and Kafka permissions to Ranger.
  1. Download the authz_export.tar.gz file and extract it. For information about downloading the file, contact Cloudera Support.
    The authz_export.tar.gz file contains directories named jars and config. It also has an authz_export.sh file. The config directory contains default configurations that you can use for reference.
  2. Replace the sentry-site.xml and core-site.xml in the config directory with the configuration files from the Sentry directory on the Sentry server in the source cluster.
    For example, the Sentry directory on the source cluster is located in the /var/run/cloudera-scm-agent/process/<sentry-service>/ location.
  3. Edit the sentry-site.xml file to perform the following steps:
    1. Update the database username and password for the Sentry database with the following credentials:
      sentry.store.jdbc.user

      sentry.store.jdbc.password

    2. Remove the hadoop.security.credential.provider.path property in the file.
  4. In the core-site.xml file, update the value for the property fs.defaultFS to file:///.
  5. In the authorization-migration-site.xml file in the config directory, perform the following steps:
    1. Make sure that the authorization.migration.export.target_services property has the list of services for which the permissions are to be exported.
      Valid values include: HIVE KAFKA
    2. Update the information in the authorization.migration.export.output_file property to the absolute location of the file where permissions should be exported.
  6. Verify whether the Java execution path for the Sentry server and the JAVA_HOME property in the authz_export.sh script matches. To verify the path and property, perform the following tasks:
    1. To locate the Java execution path that Sentry server uses, run the ps aux | grep org.apache.sentry.SentryMain command.
    2. If the path is not /user/java/default/bin/java, edit the authz_export.sh script, add the path that the Sentry server uses to the JAVA_HOME property, and save the file.
      For example, if the Sentry server uses the /usr/java/jdk1.8.0_141-cloudera/bin/java path, change the JAVA_HOME property in the authz_export.sh script to /usr/java/jdk1.8.0_141-cloudera.
  7. Run the authz_export.sh script using the sh authz_export.sh command.
    The permissions are exported to the /opt/backup/permissions.json file.
You can ingest the permissions into Ranger.