Troubleshooting Sentry

General Questions

What server is Sentry running on?

To view the Sentry host, open the Sentry service in Cloudera Manager and click the Instances tab. You can view the state, host, commission state, and role group. If Sentry high availability is enabled, more than one host is listed.

How do I know the Sentry service is running?

You can view the Sentry server and verify that it is running in the Instances tab of the Sentry service page in Cloudera Manager.

How do I view the current permissions?

There is no command to display all of the groups that have a certain role. However, you can display the roles that have been assigned to a group. You can use the following commands in Beeline, Impala shell, or HUE:

  • show roles

    Lists the existing roles.

  • show role grant group <group name>

    Lists the roles that are assigned to the specified group.

    For example, this command lists the roles that are assigned to the group systest: show role grant group systest

  • show grant role <role name>

    Lists the permissions that have been granted to the specified role.

    For example, this command lists the permissions that the role test_user_role has: show grant role test_user_role

  • show grant role <role name> on <object type> <object name>

    Lists the permissions that a role has on an object.

    For example, this command lists the permissions that the role test_user_role has on the table test_tbl1: show grant role test_user_role on table testdb1.test_tbl1

High Availability

How do I know if Sentry is running in HA mode?

CDH 5.13.0 and higher supports high availability for Sentry. You can view the Sentry Servers by opening the Sentry service in Cloudera Manager and clicking the Instances tab. If Sentry high availability is enabled, more than one Sentry Server is listed. Note that when you enable high availability, you must re-deploy client configurations so that the services that depend on Sentry have the new Sentry hostname. If the clients have stale configurations, you must deploy client configurations and restart the cluster.

For more information about high availability for Sentry, see Sentry High Availability.

Can the permissions for the Sentry Servers be out of sync?

When Sentry high availability is enabled, there are multiple Sentry Servers, but only one Sentry database. Because the privileges are stored in a single database that all of the Sentry Servers connect to, it is not possible for the Sentry Servers to have different permissions.

Logs

How do I view the Sentry logs?

To view the Sentry logs, click Diagnostics > Logs from the navigation bar in Cloudera manager. Click Select Sources and select Sentry. You can change the log level, choose a host, and enter a search phrase. Click Search to display the logs.

You can also view the Sentry logs through a shell. If you're looking for specific text in the logs, you can use a grep command to easily find the text. To view the logs, SSH into the Sentry server and browse to the following directory:

/var/log/sentry

For more information about viewing logs in Cloudera Manager, see Logs.

I want more/less information in the logs.

To change the amount of information that is included in the Sentry logs, open the Sentry service in Cloudera Manager and click the Configuration tab. Search for the Sentry Server Logging Threshold setting. You can choose between TRACE, DEBUG, INFO, WARN, ERROR, and FATAL log levels. TRACE creates the most detailed logs and FATAL creates the least detailed logs. Note that creating detailed logs can result in slower performance.