Setting Up Apache Sentry Using the Command Line

Sentry enables role-based, fine-grained authorization for HiveServer2 and Impala. It provides classic database-style authorization for Hive and Impala. For more information, and instructions on configuring Sentry for Hive and Impala, see Managing the Sentry Service.

Installing Sentry

Use the following the instructions, depending on your operating system, to install the latest version of Sentry.
OS Command
RHEL 
$ sudo yum install sentry
SLES 
$ sudo zypper install sentry
Ubuntu or Debian 
$ sudo apt-get update; 
$ sudo apt-get install sentry

Upgrading Sentry

Upgrading from CDH 5.x to the Latest CDH 5

  1. Stop the Sentry Service
    To stop the Sentry service, identify the PID of the Sentry Service and use the kill command to end the process: 
    ps -ef | grep sentry
kill -9 <PID>
    Replace <PID> with the PID of the Sentry Service.
  2. Remove the previous version of Sentry.
    OS Command
    RHEL 
    $ sudo yum remove sentry
    SLES 
    $ sudo zypper remove sentry
    Ubuntu or Debian 
    $ sudo apt-get remove sentry
  3. Install the new version of Sentry.
  4. Upgrade Sentry Database Schema Using schematool
    • From a release earlier than CDH 5.2 to CDH 5.4:
      Use the Sentry schematool to upgrade the database schema as follows: 
      bin/sentry --command schema-tool --conffile <sentry-site.xml> --dbType <db-type> --upgradeSchema
      Where <db-type> should be either mysql, postgres or oracle.
    • For CDH 5.5 and higher: The newer releases include password encryption which means you can no longer run schematool as it requires a plaintext password. Password encryption is an important part of security and Sentry defaults to using the CredentialProvider API to accomplish this. Cloudera recommends you use Cloudera Manager to upgrade the Sentry database instead.
    • However, if using Cloudera Manager is not an option, and scehmatool is required, to work around the default encryption, obtain the password in plaintext from the API, open sentry-site.xml and manually set the sentry.store.jdbc.password property to use the plaintext password, and remove the hadoop.security.credential.provider.path property and its value. You should now be able to run schematool.
  5. Start the Sentry Service
    1. Set the SENTRY_HOME and HADOOP_HOME parameters.
    2. Run the following command: 
      bin/sentry --command service --conffile <sentry-site.xml>