Migrating from Sentry Policy Files to the Sentry Service

If your cluster uses Sentry policy file authorization, you must migrate the policy files to the database-backed Sentry service before you upgrade to CDH 6.

Complete the following steps to upgrade from Sentry policy files to the database-backed Sentry service:

Minimum Required Role: Cluster Administrator (also provided by Full Administrator)

  1. Disable the existing Sentry policy file for any Hive, Impala, or Solr services on the cluster. To do this:
    1. Go to the Hive, Impala, or Solr service.
    2. Click the Configuration tab.
    3. Select Scope > Service Name (Service-Wide).
    4. Select Category > Policy File Based Sentry.
    5. Clear Enable Sentry Authorization using Policy Files. Cloudera Manager throws a validation error if you attempt to configure the Sentry service while this property is checked.
    6. Repeat for any remaining Hive, Impala, or Solr services.
  2. Add the new Sentry service to your cluster. For instructions, see Adding the Sentry Service.
  3. To begin using the Sentry service, see Enabling the Sentry Service Using Cloudera Manager and Configuring the Sentry Service.
  4. (Optional) Use command line tools to migrate existing policy file grants.
    • If you want to migrate existing Sentry configurations for Solr, use the solrctl sentry --convert-policy-file command, described in solrctl Reference.
    • For Hive and Impala, use the command-line interface Beeline to issue grants to the Sentry service to match the contents of your old policy file(s). For more details on the Sentry service and examples on using Grant/Revoke statements to match your policy file, see Hive SQL Syntax for Use with Sentry.
  5. Restart the affected services as described in Restarting Services and Instances after Configuration Changes to apply the changes.