Skip to end of metadata
Go to start of metadata

Shell for import/export

The following arguments are added to sentry’s config-tool for import/export:

For import:

sentry -command config-tool -I <filepath> -o

-I,--import <filepath>    The path of import policy file

-o,--overwrite             Overwrite the exist role data when do the import, default is true

For export:

sentry -command config-tool -E <filepath> -b <specific auth object>

-E,--export <filepath>       The path of export policy file

-b,--objectPath <specific auth object> Optional, the specific authorization object for export

eg: sentry -command config-tool -E /tmp/export.ini -b db=db1->table=table1

File format

For the policy file format, the interface SentryPolicyFileFormatter is responsible for this. The implemented class can be configured in the sentry-site.xml as the following:

Config PropertyValueDefaultRequired
sentry.hive.policy.file.formatterThe value must be the subclass of org.apache.sentry.binding.hive.SentryPolicyFileFormatterorg.apache.sentry.binding.hive.SentryIniPolicyFileFormatterNo

The following is the example for the default policy file format of import/export (as INI file format):

[groups]

group1=role1,role2

group2=role1,role2,role3

group3=role2,role3

[roles]

role1=server=server1,server=server1->action=select->grantoption=false

role2=server=server1->db=db2->action=insert->grantoption=true

role3=server=server1->db=db1->table=tbl2->column=col1->action=insert,server=server1->db=db1->table=tbl3->column=col1->action=*->grantoption=true,server=server1->uri=hdfs://testserver:9999/path2->action=insert

Authorization

Only user with the sentry-admin group can do the import/export. The sentry-admin group can be configured in sentry-site.xml as the following:

Config PropertyValueDefaultRequired
sentry.service.admin.groupeg: sentry_admin_group1,sentry_admin_group2 No
  • No labels