Migrating Sentry Privileges for Solr After Upgrading to CDH 6
CDH 6 uses Apache Sentry 2, which supports more granular permissions for Cloudera Search. After upgrading to CDH 6, you must convert your Sentry privileges to the new model. Cloudera provides a script to automate this conversion.
The following sections describe the changes to the privilege model, and how to migrate your existing permissions to the new model:
Solr Authorization Privilege Model Changes in CDH 6
The Solr authorization privilege model for Sentry in CDH 6 replaces the special admin collection with a new admin privilege object type. The admin object type supports the following privilege objects, allowing you to control access to different types of administrative operations separately:
- collections
- cores
- security
- metrics
- autoscaling
The admin collection in CDH 5 is the equivalent of the admin=collections and admin=cores privilege objects in CDH 6. The following table shows equivalent Sentry permissions in CDH 5 and CDH 6:
CDH 5 Privilege Rule | CDH 6 Privilege Rule |
---|---|
collection=admin->action=* | admin=collections->action=*, admin=cores->action=* |
collection=admin->action=update | admin=collections->action=update, admin=cores->action=update |
config=myConfig->action=* | config=myConfig->action=* |
Sentry in CDH 6 supports collection, admin, config, and schema privilege object types for Solr. For more information about the authorization privilege model for Cloudera Search, see Authorization Privilege Model for Cloudera Search.
Sentry Privilege Migration Script Usage
The Sentry privilege migration script for Cloudera Search is included with CDH at the following locations:
- Parcels: /opt/cloudera/parcels/CDH/lib/solr/bin/sentryMigrationTool
- Packages: /usr/lib/solr/bin/sentryMigrationTool
The command syntax is as follows:
usage: sentryMigrationTool -c,--sentry_conf <arg> sentry-site.xml file path (only required in case of Sentry service) -d,--dry_run provides the output the migration for inspection without making actual configuration changes -h,--help Shell usage -o,--output <arg> sentry (target) policy file path (only in case of file based Sentry configuration) -p,--policy_file <arg> sentry (source) policy file path (only in case of file based Sentry configuration) -s,--source <arg> Source Sentry version
Migrating Privileges for the Sentry Service
If you are using the Sentry Service, migrate your Cloudera Search privileges as follows:
sentryMigrationTool -c /path/to/sentry-site.xml -s <version>
Replace <version> with the Apache Sentry version for your CDH 5 version:
- CDH 5.2, 5.3, 5.4: 1.4.0
- CDH 5.5 and higher: 1.5.1
Migrating Privileges for Sentry Policy Files
If you are using Sentry policy files, migrate your Cloudera Search privileges as follows:
sentryMigrationTool -p /path/to/sentry-provider.ini -o /path/to/new/sentry-provider.ini -s <version>
Replace <version> with the Apache Sentry version for your CDH 5 version:
- CDH 5.2, 5.3, 5.4: 1.4.0
- CDH 5.5 and higher: 1.5.1
<< Upgrading to CDH 5.8.0 or CDH 5.8.1 When Using the Flume Kafka Client | ©2016 Cloudera, Inc. All rights reserved | Preparing Cloudera Search to Upgrade to CDH 6 >> |
Terms and Conditions Privacy Policy |