Using the Sentry Web Server

The Sentry web server can be used to view reported metrics which can prove useful for debugging. You can also enable Kerberos authentication to secure the web server.

To enable the Sentry web server, perform the following steps:
  1. In Cloudera Manager, open the Sentry service.
  2. Click the Configuration tab.
  3. Search for sentry.service.web.enable and select Enable Web UI.
  4. Restart the Sentry web server.
To configure the Sentry web server for reporting metrics and secure it using Kerberos authentication, perform the following steps:
  1. In Cloudera Manager, open the Sentry service.
  2. Click the Configuration tab.
  3. Search for the Sentry Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml property and add the following properties:
    1. Metrics for the Sentry service can now be reported using either JMX or console. To obtain the metrics in JSON format, you can use the Sentry web server which by default, listens on port 29000. To enable reporting of metrics:
      <!-- Port on which the Sentry web server listens -->
      <property>
      <name>sentry.service.web.port</name>
      <value>51000</value>
      </property>
      
      <!-- Tool being used to report metrics; jmx or console -->
      <property>
      <name>sentry.service.reporter</name>
      <value>jmx</value>
      </property>
    2. Kerberos authentication must be enabled for the Sentry web server to restrict who can access the debug web page for the Sentry service. To enable:
      <!-- Set Kerberos authentication properties -->
      <property>
      <name>sentry.service.web.authentication.type</name>
      <value>KERBEROS</value>
      </property>
      
      <property>
      <name>sentry.service.web.authentication.kerberos.principal</name>
      <value>HTTP/<fully.qualified.domain.name>@YOUR-REALM</value>
      </property>
      
      <property>
      <name>sentry.service.web.authentication.kerberos.keytab</name>
      <value>/path/to/keytab/file</value>
      </property>
      
      <!-- Define comma-separated list of users allowed to connect to the web server --> 
      <property>
      <name>sentry.service.web.authentication.allow.connect.users</name>
      <value>user_a,user_b</value>
      </property>
  4. Enter a Reason for change, and then click Save Changes to commit the changes.
  5. Restart the Sentry web server.