Migrating from Sentry Policy Files to the Sentry Service

Minimum Required Role: Cluster Administrator (also provided by Full Administrator)

The following steps describe how you can upgrade from Sentry's policy file-based approach to the new database-backed Sentry service.
  1. If you haven't already done so, upgrade your cluster to the latest version of CDH and Cloudera Manager. Refer the Cloudera Manager Administration Guide for instructions.
  2. Disable the existing Sentry policy file for any Hive or Impala services on the cluster. To do this:
    1. Go to the Hive or Impala service.
    2. Click the Configuration tab.
    3. Select Scope > Service Name (Service-Wide).
    4. Select Category > Policy File Based Sentry.
    5. Deselect Enable Sentry Authorization using Policy Files. Cloudera Manager will throw a validation error if you attempt to configure the Sentry service while this property is checked.
    6. Repeat for any remaining Hive or Impala services.
  3. Add the new Sentry service to your cluster. For instructions, see Adding the Sentry Service.
  4. To begin using the Sentry service, see Enabling the Sentry Service Using Cloudera Manager and Configuring Impala as a Client for the Sentry Service.
  5. Use the command-line interface Beeline to issue grants to the Sentry service to match the contents of your old policy file(s). For more details on the Sentry service and examples on using Grant/Revoke statements to match your policy file, see Hive SQL Syntax for Use with Sentry.