Exporting Sentry permissions

You must export the Sentry policies from CDH cluster to Cloudera cluster Ranger.

  1. SSH to the Sentry host of the source cluster.
  2. Copy the file located here to the Sentry host and extract it to a suitable location.
    tar -xvf authz_export.tar.gz
    Later, a directory named authzmigrator is created which contains the following files:
    • Jars
    • Config
    • Authz_export.sh
  3. Verify the SENTRY_SERVER process path
    ps -ef | grep SENTRY_SERVER
  4. Replace sentry-site.xml and core-site.xml in the extracted file with config files from Sentry-run directory.
 For example,
    • cp /var/run/cloudera-scm-agent/process/<process-id>-sentry-SENTRY_SERVER/sentry-site.xml authzmigrator/config/
    • cp /var/run/cloudera-scm-agent/process/<process-id>-sentry-SENTRY_SERVER/core-site.xml authzmigrator/config/
  5. Update ‘Sentry.store.jdbc.user’ and sentry.store.jdbc.password in sentry-site.xml.
    The mandatory values are the Sentry "database user" and "database user password" in clear text.
  6. Remove the property hadoop.security.credential.provider.path in sentry-site.xml.
  7. Update the value for the property fs.defaultFS to file:/// in core-site.xml.
  8. Make sure that the following configurations are updated in
    authorization-migration-site.xml present in the authzmigrator/config/
      • authorization.migration.export.target_services= HIVE,KAFKA should have a list of services for which permissions are needed to export the Sentry permissions. Valid values: HIVE, KAFKA
      • authorization.migration.export.output_file=<path> should be updated to the absolute location of the file where permissions should be exported

    To set up role based permissions, you must add the following properties:

    <property>

    <name>authorization.migration.role.permissions</name>

    <value>true</value>

    </property>

    An example property file:
  9. Export JAVA_HOME variable
  10. Run the script:
    cd authzmigrator/

    sh authz_export.sh

    Exporting the permissions is completed.
  11. SCP the exported JSON to the target cluster. For more information about logging into Cloudera clusters, see Using SSH to access the cluster.
    scp <exported json> root@<target_clustert>:/root