Cloudera Enterprise 6.0 Beta | Other versions

Migrating Sentry Privileges for Solr After Upgrading to CDH 6

CDH 6 uses Apache Sentry 2, which supports more granular permissions for Cloudera Search. After upgrading to CDH 6, you must convert your Sentry privileges to the new model. Cloudera provides a script to automate this conversion.

The following sections describe the changes to the privilege model, and how to migrate your existing permissions to the new model:

Solr Authorization Privilege Model Changes in CDH 6
Sentry Privilege Migration Script Usage
Migrating Privileges for the Sentry Service
Migrating Privileges for Sentry Policy Files

Solr Authorization Privilege Model Changes in CDH 6

The Solr authorization privilege model for Sentry in CDH 6 replaces the special admin collection with a new admin privilege object type. The admin object type supports the following privilege objects, allowing you to control access to different types of administrative operations separately:

collections
cores
security
metrics
autoscaling

The admin collection in CDH 5 is the equivalent of the admin=collections and admin=cores privilege objects in CDH 6. The following table shows equivalent Sentry permissions in CDH 5 and CDH 6:

Table 1. Cloudera Search Sentry Privilege Changes
CDH 5 Privilege Rule	CDH 6 Privilege Rule
`collection=admin->action=*`	`admin=collections->action=, admin=cores->action=`
`collection=admin->action=update`	`admin=collections->action=update, admin=cores->action=update`
`config=myConfig->action=*`	`config=myConfig->action=*`

Sentry in CDH 6 supports collection, admin, config, and schema privilege object types for Solr. For more information about the authorization privilege model for Cloudera Search, see Authorization Privilege Model for Cloudera Search.

Sentry Privilege Migration Script Usage

The Sentry privilege migration script for Cloudera Search is included with CDH at the following locations:

Parcels: /opt/cloudera/parcels/CDH/lib/solr/bin/sentryMigrationTool
Packages: /usr/lib/solr/bin/sentryMigrationTool

The command syntax is as follows:

usage: sentryMigrationTool
 -c,--sentry_conf <arg>   sentry-site.xml file path (only required in case
                          of Sentry service)
 -d,--dry_run             provides the output the migration for inspection
                          without making actual configuration changes
 -h,--help                Shell usage
 -o,--output <arg>        sentry (target) policy file path (only in case
                          of file based Sentry configuration)
 -p,--policy_file <arg>   sentry (source) policy file path (only in case
                          of file based Sentry configuration)
 -s,--source <arg>        Source Sentry version

Migrating Privileges for the Sentry Service

If you are using the Sentry Service, migrate your Cloudera Search privileges as follows:

sentryMigrationTool -c /path/to/sentry-site.xml -s <version>

Replace <version> with the Apache Sentry version for your CDH 5 version:

CDH 5.2, 5.3, 5.4: 1.4.0
CDH 5.5 and higher: 1.5.1

Migrating Privileges for Sentry Policy Files

If you are using Sentry policy files, migrate your Cloudera Search privileges as follows:

sentryMigrationTool -p /path/to/sentry-provider.ini -o /path/to/new/sentry-provider.ini -s <version>

Replace <version> with the Apache Sentry version for your CDH 5 version:

CDH 5.2, 5.3, 5.4: 1.4.0
CDH 5.5 and higher: 1.5.1

Page generated March 7, 2018.