Migrating from Sentry Policy Files to the Sentry Service

Minimum Required Role: Cluster Administrator (also provided by Full Administrator)

The following steps describe how you can upgrade from Sentry's policy file-based approach to the new database-backed Sentry service.
  1. If you haven't already done so, upgrade your cluster to the latest version of CDH and Cloudera Manager. Refer the Cloudera Manager Administration Guide for instructions.
  2. Disable the existing Sentry policy file for any Hive or Impala services on the cluster. To do this:
    1. Navigate to the Hive or Impala service.
    2. Click the Configuration tab.
    3. Under the Service-Wide > Policy File Based Sentry category, uncheck the Enable Sentry Authorization using Policy Files checkbox. Cloudera Manager will throw a validation error if you attempt to configure the Sentry service while this property is checked.
    4. Repeat for any remaining Hive or Impala services.
  3. Add the new Sentry service to your cluster. For instructions, see Adding the Sentry Service.
  4. To begin using the Sentry service, see Enabling the Sentry Service Using Cloudera Manager and Configuring Impala as a Client for the Sentry Service.
  5. Use the command-line interface Beeline to issue grants to the Sentry service to match the contents of your old policy file(s). For more details on the Sentry service and examples on using Grant/Revoke statements to match your policy file, see Hive SQL Syntax for Use with Sentry.