Exporting Sentry permissions
You must export the Sentry policies from CDH cluster to Cloudera cluster Ranger.
- SSH to the Sentry host of the source cluster.
-
Copy the file located here to the Sentry host and extract it to a suitable
location.
tar -xvf authz_export.tar.gz
Later, a directory namedauthzmigrator
is created which contains the following files:Jars
Config
Authz_export.sh
-
Verify the SENTRY_SERVER process path
ps -ef | grep SENTRY_SERVER
-
Replace sentry-site.xml and core-site.xml in the extracted file with config
files from Sentry-run directory.
For example,
cp /var/run/cloudera-scm-agent/process/<process-id>-sentry-SENTRY_SERVER/sentry-site.xml authzmigrator/config/
cp /var/run/cloudera-scm-agent/process/<process-id>-sentry-SENTRY_SERVER/core-site.xml authzmigrator/config/
-
Update ‘Sentry.store.jdbc.user’ and sentry.store.jdbc.password in
sentry-site.xml
.The mandatory values are the Sentry "database user" and "database user password" in clear text. -
Remove the property hadoop.security.credential.provider.path in
sentry-site.xml
. -
Update the value for the property fs.defaultFS to
file:/// in core-site.xml
. -
Make sure that the following configurations are updated in
authorization-migration-site.xml
present in theauthzmigrator/config/
-
- authorization.migration.export.target_services= HIVE,KAFKA should have a list of services for which permissions are needed to export the Sentry permissions. Valid values: HIVE, KAFKA
- authorization.migration.export.output_file=<path> should be updated to the absolute location of the file where permissions should be exported
To set up role based permissions, you must add the following properties:
<property>
<name>authorization.migration.role.permissions</name>
<value>true</value>
</property>
An example property file: -
-
Export
JAVA_HOME
variable -
Run the script:
cd authzmigrator/
sh authz_export.sh
Exporting the permissions is completed. -
SCP the exported JSON to the target cluster. For more information about logging
into Cloudera clusters, see Using SSH to access the cluster.
scp <exported json> root@<target_clustert>:/root