Replication with Sentry Enabled
If the cluster has Sentry enabled and you are using Replication Manager to replicate files or tables and their permissions, configuration changes to HDFS are required.
The configuration changes are required due to how HDFS manages ACLs. When a user reads ACLs, HDFS provides the ACLs configured in the External Authorization Provider, which is Sentry. If Sentry is not available or it does not manage authorization of the particular resource, such as the file or directory, then HDFS falls back to its own internal ACLs. But when ACLs are written to HDFS, HDFS always writes these internal ACLs even when Sentry is configured. This causes HDFS metadata to be polluted with Sentry ACLs. It can also cause a replication failure in replication when Sentry ACLs are not compatible with HDFS ACLs.
To prevent issues with HDFS and Sentry ACLs, complete the following steps:
Create a user account that is only used for Replication Manager jobs since Sentry ACLs
will be bypassed for this user.
For example, create a user named
Configure HDFS on the source cluster:
- In the Cloudera Manager Admin Console, select .
Select Configuration and search for the following property:
NameNode Advanced Configuration Snippet (Safety Valve) for hdfs-site.xml.
Add the following property:
Name: Use the following property name:
Value: Provide the following information: <username>,
Replace <username> with the user you created in step 1 and <RealmName>
with the name of the Kerberos realm.
For example, the user
bdr-only-useron the realm
elephantrequires the following value:
Description: This field is optional.
- Restart the NameNode.
- Repeat step 2 on the destination cluster.
When you create a policy, specify the user you created in step 1 in the Run As
Username and Run on Peer as Username (if available) fields.