Migrating from Sentry Policy Files to the Sentry Service

Minimum Required Role: Cluster Administrator (also provided by Full Administrator)

The following steps describe how you can upgrade from Sentry's policy file-based approach to the new database-backed Sentry service.
  1. If you haven't already done so, upgrade your cluster to the latest version of CDH and Cloudera Manager. Refer the Cloudera Manager Administration Guide for instructions.
  2. Disable the existing Sentry policy file for any Hive, Impala, or Solr services on the cluster. To do this:
    1. Go to the Hive, Impala, or Solr service.
    2. Click the Configuration tab.
    3. Select Scope > Service Name (Service-Wide).
    4. Select Category > Policy File Based Sentry.
    5. Clear Enable Sentry Authorization using Policy Files. Cloudera Manager throws a validation error if you attempt to configure the Sentry service while this property is checked.
    6. Repeat for any remaining Hive, Impala, or Solr services.
  3. Add the new Sentry service to your cluster. For instructions, see Adding the Sentry Service.
  4. To begin using the Sentry service, see Enabling the Sentry Service Using Cloudera Manager and Configuring Impala as a Client for the Sentry Service.
  5. (Optional) Use command line tools to migrate existing policy file grants.
    • If you want to migrate existing Sentry configurations for Solr, use the solrctl sentry --convert-policy-file command, described in solrctl Reference.
    • For Hive and Impala, use the command-line interface Beeline to issue grants to the Sentry service to match the contents of your old policy file(s). For more details on the Sentry service and examples on using Grant/Revoke statements to match your policy file, see Hive SQL Syntax for Use with Sentry.
  6. Restart the affected services as described in Restarting Services and Instances after Configuration Changes to apply the changes.