Fusion Plugin for Live Sentry

1. Welcome

1.1. Product overview

Use the Fusion Plugin for Live Sentry to extend the WANdisco Fusion server with the ability to replicate policies among Apache Sentry Policy Provider instances. Coordinate activities that modify Sentry policy definitions among multiple instances of the Sentry Policy Provider across separate clusters to maintain common policy enforcement in each cluster. The Fusion Plugin for Live Sentry uses WANdisco Fusion for coordination and replication.

1.2. Documentation guide

This guide contains the following:

Welcome: this chapter introduces this user guide and provides help with how to use it.
Release Notes: details the latest software release, covering new features, fixes and known issues to be aware of.
Concepts: explains how Fusion Plugin for Live Sentry through WANdisco Fusion uses WANdisco’s Live Data platform.
Installation: covers the steps required to install and set up Fusion Plugin for Live Sentry into a WANdisco Fusion deployment.
Operation: the steps required to run, reconfigure and troubleshoot Fusion Plugin for Live Sentry.

Reference: additional Fusion Plugin for Live Sentry documentation, including documentation for the available REST API.

1.2.1. Admonitions

In the guide we highlight types of information using the following call outs:

The alert symbol highlights important information.

The STOP symbol cautions you against doing something.

Tips are principles or practices that you’ll benefit from knowing or using.

The KB symbol shows where you can find more information, such as in our online Knowledgebase.

1.3. Contact support

See our online Knowledgebase which contains updates and more information.

If you need more help raise a case on our support website.

1.4. Give feedback

If you find an error or if you think some information needs improving, raise a case on our support website or email docs@wandisco.com.

2. Release Notes

2.1. Fusion Plugin for Live Sentry Version 1.3

The Fusion Plugin for Live Sentry 1.3 is a minor update following version 1.0, and includes new features, issue resolutions and other improvements. These release notes include details on the specific improvements and enhancements to the product, and should be read in conjunction with other product documentation.

2.2. Getting Installed

For instructions on a first-time installation, see 4. Installation.

Upgrades to current deployments of Fusion Plugin for Live Sentry can be performed in-place by updating the RPM packages:

fusion-sentry-plugin-cdh-5.9.0-1.3-xx.noarch.rpm
fusion-sentry-proxy-cdh-5.9.0-1.3-xx.noarch.rpm

2.2.1. Upgrade Process

Upgrade from the prior version of Fusion Plugin for Live Sentry can be performed without uninstallation. In addition to the steps below, you will need to confirm that configuration settings are correct for the upgraded version.

Stop the Fusion server.

# service fusion-server stop Enter

Stop the WANdisco Sentry Proxy server.

# service sentryproxy-server stop Enter

Upgrade the plugin RPM.

# rpm -U fusion-sentry-plugin-cdh-5.13.0-1.3-xxx.noarch.rpm Enter

Upgrade the proxy RPM.

# rpm -U fusion-sentry-proxy-cdh-5.13.0-1.3-xxx.noarch.rpm Enter

Start the Fusion server.

# service fusion-server start Enter

Start the proxy server.

# service sentryproxy-server start Enter

Please contact WANdisco support for help with this process, and find detailed installation instructions in the user guide at http://docs.wandisco.com/bigdata/wdfusion/plugins/live-sentry/index.html#installation

2.3. New Features

This release includes the following new features:

WD-SRP-86: Support for CDH 5.5.4
WD-SRP-87: Support for CDH 5.11.2
WD-SRP-13: Consistency Check. The Fusion Plugin for Live Sentry can report on inconsistencies for Sentry metadata across zones.
WD-SRP-82: External API to trigger consistency check. A consistency check operation can be triggered by issuing a POST request to the Fusion Plugin for Live Sentry endpoint. e.g.

Initiate a consistency check for Sentry when configured to use the /sentryproxy location for replication.

# curl -v -i -X POST http://<fusion-server>:8082/plugin/sentryproxy/cc?path=/sentryproxy Enter

...
< HTTP/1.1 202 Accepted
< Content-Location: https://<fusion-server:8082/fusion/task/84f4093e-e0b4-11e7-bb25-f62064db6cbb

Retrieve consistency check results.

# curl -v -i -X GET http://<fusion-server>:8082/plugin/sentryproxy/cc/84f4093e-e0b4-11e7-bb25-f62064db6cbb?path='/sentryproxy'&withConsistencyReport=true Enter

...
< HTTP/1.1 200 OK
< Content-Length: 234
< Content-Type: application/xml
< Server: Jetty(6.1.26.cloudera.4)
<
{ [data not shown]
* Connection #0 to host <fusion-server> left intact
* Closing connection #0
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<consistencyReport>
 <path>/sentryproxy</path>
 <state>RUNNING</state>
 <taskId>de4ce042-e013-11e7-8c0b-f62064db6cbb</taskId>
 <noInconsistencies>0</noInconsistencies>
</consistencyReport>

WD-SRP-40: Repair. The Fusion Plugin for Live Sentry can repair inconsistencies among Sentry metadata between zones.
WD-SRP-93: External API to trigger repair. A repair operation can be triggered to follow a consistency check by issuing a POST request to the Fusion Plugin for Live Sentry endpoint. e.g.

Initiate a repair when configured to use the /sentryproxy location for replication, following a prior consistency check that has provided a task ID.

# curl -v -i -X POST http://<fusion-server>:8082/plugin/sentryproxy/repair/03a564f-80c8-f62064db6cbb?path=/sentryproxy&srcZone=zone2 Enter

...
< HTTP/1.1 200 OK

WD-SRP-109

Modified configuration file locations. Default locations for files used by the plugin have changed:

Proxy server installation: /opt/wandisco/live-sentry-proxy
Proxy server configuration: /etc/wandisco/live-sentry-proxy
Proxy server logs: /var/log/wandisco/live-sentry-proxy
Proxy server process ID: /var/run/wandisco/live-sentry-proxy
Proxy plugin installation: /opt/wandisco/fusion/plugins/live-sentry
Proxy plugin configuration: /etc/wandisco/fusion/plugins/live-sentry

WD-SRP-151

No need for open user permissions. The directory used by the identity that runs the proxy does can default to 0755 permissions.

WD-SRP-104

Cross-version compatibility. The Fusion Plugin for Live Sentry supports a variety of Cloudera CDH versions in mixed environments, including CDH 5.5.4, 5.6.1, 5.7.1, 5.8.2, 5.9.1, 5.10.0, 5.11.2, 5.12.1, and 5.13.1. Please contact WANdisco support for more information on compatibility with other versions.

WD-SRP-137

Support for Fusion 2.11.1.

WD-SRP-145

Support for non-Kerberos clusters. The Fusion Plugin for Live Sentry can operate in non-Kerberos clusters by setting sentry.hive.testing.mode to true in Hive’s sentry-site.xml in Cloudera Manager.

WD-SRP-156

Support for LDAP authentication. The Fusion Plugin for Live Sentry can operate in clusters that use LDAP for user authentication instead of Kerberos.

2.4. Available Packages

This release of Fusion Plugin for Live Sentry includes installers specific to the following versions of Cloudera:

5.9.0

fusion-sentry-plugin-cdh-5.9.0-1.3_RELEASE-xxx.noarch.rpm
fusion-sentry-proxy-cdh-5.9.0-1.3_RELEASE-xxx.noarch.rpm

5.10.0

fusion-sentry-plugin-cdh-5.10.0-1.3_RELEASE-xxx.mnoarch.rpm
fusion-sentry-proxy-cdh-5.10.0-1.3_RELEASE-xxx.noarch.rpm

5.11.0

fusion-sentry-plugin-cdh-5.11.0-1.3_RELEASE-xxx.mnoarch.rpm
fusion-sentry-proxy-cdh-5.11.0-1.3_RELEASE-xxx.noarch.rpm

5.12.0

fusion-sentry-plugin-cdh-5.12.0-1.3_RELEASE-xxx.mnoarch.rpm
fusion-sentry-proxy-cdh-5.12.0-1.3_RELEASE-xxx.noarch.rpm

5.13.0

fusion-sentry-plugin-cdh-5.13.0-1.3_RELEASE-xxx.mnoarch.rpm
fusion-sentry-proxy-cdh-5.13.0-1.3_RELEASE-xxx.noarch.rpm

2.5. System Requirements

Before installing or upgrading, ensure that your systems, software, and hardware meet the requirements found in the user guide at http://docs.wandisco.com/bigdata/wdfusion

2.5.1. Certified Third-Party Components

WANdisco certifies the interoperability of Fusion Plugin for Live Sentry with the versions of Apache Sentry in specific Cloudera CDH releases:

CDH 5.9.x
CDH 5.10.x
CDH 5.11.x
CDH 5.12.x
CDH 5.13.x

Support is currently limited to the version of Sentry (1.5.1) that is bundled with these packages.

WANdisco also certifies interoperability of Fusion Plugin for Live Sentry with a variety of Hadoop services, including:

Hive
Impala
HDFS
Solr
Hue
WANdisco Fusion Plugin for Live Hive

2.6. Known Issues

Fusion Plugin for Live Sentry 1.3 includes a small set of known issues, detailed here.

Sentry HA compatibility - WD-SRP-166
Debian installation packages - WD-SRP-179
Sentry proxy restart is required if fs.defaultFS property is changed - WD-SRP-176

3. Concepts

3.1. Product concepts

Familiarity with the following concepts will improve your use of the Fusion Plugin for Live Sentry.

WANdisco Fusion Plugin: A plugin is used by WANdisco Fusion to extend its functionality. Plugins are loaded by the WANdisco Fusion server on startup.
Apache Sentry: Sentry is a system for defining and enforcing fine-grained authorization against Hadoop resources. Use Sentry to control and enforce privileges on data for authenticated users and applications in a Hadoop cluster. It supports different data models with a modular architecture.
Sentry Server: The Sentry Server manages authorization metadata. It offers a Thrift interface to allow clients to retrieve and manipulate that metadata.
Sentry Authorization: Sentry limits user access to specific resources. Sentry policies are enforced by Sentry Plugins that are specific to the system for which a policy is enforced. Plugins obtain metadata from the Sentry Server to make authorization decisions.
Sentry Role: A set of privileges that combine multiple access rules.
Sentry Privilege: A rule that allows access to an object.

3.2. Product architecture

WANdisco Fusion provides a Live Data architecture, where data are stored and used in multiple locations, while data are replicated with guaranteed consistency across them all.

The Fusion Plugin for Live Sentry extends that Live Data architecture to metadata managed by Apache Sentry to allow policy changes made in any location to apply consistently across all.

The Fusion Plugin for Live Sentry is a distributed network proxy for the Thrift interface exposed by the Apache Sentry Server. It coordinates and replicates changes made via that interface to ensure that regardless of where or when changes to Sentry policies occur, they result in the same set of policies across multiple environments.

Figure 1. Fusion Plugin for Live Sentry Architecture

By implementing this coordination and replication via a proxy to the Sentry server, the Fusion Plugin for Live Sentry provides this capability without any change to the underlying Sentry services. Sentry provides a simple, standard means of directing clients to interact with the Sentry server via the proxy, and the proxy is configured to use the existing Sentry server.

3.3. Deployment models

3.3.1. Use Cases for the Fusion Plugin for Live Sentry

Replicate policy definitions between multiple Apache Sentry instances in different clusters using the Fusion Plugin for Live Sentry. Change Sentry policies in any cluster to enforce access to cluster resources with the same authorization rights in each environment.

4. Installation

4.1. Pre-requisites

4.1.1. System Requirements

Along with the standard product requirements that you can find on the WANdisco Fusion Deployment Checklist, you also need to ensure that your clusters:

Use Cloudera CDH 5.9.x to CDH 5.13.x (Note that builds for alternative CDH versions can be made available.)
Operate with Java 1.7
Have configured Cloudera CDH to use Kerberos or LDAP for user authentication (Note that the installation details here define steps for a Kerberized environment. Please contact WANdisco support for information on installation to a cluster that uses LDAP for user authentication.)
Use Apache Sentry for policy enforcement

4.1.2. Security Requirements

Prior to installation, establish the user identity that will be used by the WANdisco Sentry Proxy:

Add the system user wd-sentry-server on each node where the proxy will run.

Create the system user.

# adduser wd-sentry-user Enter

Establish Kerberos credentials for the wd-sentry-server user.

Create the user directory under hdfs.

# hdfs dfs -mkdir /user/wd-sentry-user Enter
# hdfs dfs -chown wd-sentry-user:wd-sentry-user /user/wd-sentry-user Enter
# hdfs dfs -chmod 755 /user/wd-sentry-user Enter

In the following instructions, <wd sentry proxy hostname> represents the hostname of the WANdisco Sentry Proxy server, and should be replaced with your actual hostname.

SSH to the node where the KDC Server is running.

# ssh <kdc hostname> Enter

Create the principal.

kadmin.local# addprinc -randkey wd-sentry-user/<wd sentry proxy hostname>@<REALM.COM> Enter

Create the wd-sentry-proxy.keytab file.

kadmin.local# xst -norandkey -kt wd-sentry-proxy.keytab wd-sentry-user/<wd sentry proxy hostname>@<REALM.COM> Enter

Copy the keytab to the WANdisco Sentry Proxy server.

# scp wd-sentry-proxy.keytab root@<wd sentry proxy hostname>:/etc/security/keytabs Enter

Ensure the ownership of the keytab is correct on the proxy server.

# chown sentry:sentry /etc/security/keytabs/wd-sentry-proxy.keytab Enter

The wd-sentry-proxy.keytab should be available on all servers where the WANdisco Sentry Proxy is installed.

4.1.3. Sentry Configuration Requirements

Ensure these configuration properties for Sentry in the sentry-site.xml file are equivalent in replicated zones:

sentry.service.allow.connect: A comma-separated list of identities that are allowed to connect to the Sentry service. e.g. hive,impala,hue,hdfs,solr,wd-sentry-user. Additionally, this list must include the user identities that apply to the Sentry Proxy and Fusion server.
sentry.service.admin.group: A comma-separated list of identities that have administrative privileges for the Sentry service. e.g. hive,impala,hue,hdfs,solr.

4.1.4. Replication Requirements

You must establish a replication rule associated with an HDFS path that is dedicated for the use of the Fusion Plugin for Live Sentry. e.g.

/sentryproxy

4.2. Installation Steps

Install the Fusion Plugin for Live Sentry using a standard RPM- or DEB-based installation process. Configure the plugin with simple command-line tools or manual changes to configuration files that are specific to the plugin. Instructions below refer to the CDH 5.13.x installer. Please account for the specific CDH version in your environment with the selection of the installer version.

4.2.1. Locate installation components.

There are two RPM files that provide installable components for the plugin:

fusion-sentry-plugin-cdh-5.13.0-1.3-xxx.noarch.rpm
fusion-sentry-proxy-cdh-5.13.0-1.3-xxx.noarch.rpm

Obtain the files so that you can distribute them to the appropriate hosts in your deployment for WANdisco Fusion. The fusion-sentry-proxy-cdh-5.13.0-1.3-xxx.noarch.rpm needs to be installed on each WANdisco Sentry Proxy server host in your deployment. The fusion-sentry-plugin-cdh-5.13.0-1.3-xxx.noarch.rpm needs to be installed on each WANdisco Fusion server host.

4.2.2. Install the plugin.

Install fusion-sentry-plugin-cdh-5.13.0-1.3-xxx.noarch.rpm on each WANdisco Fusion server host as the superuser:

Install the plugin on each WANdisco Fusion server:

# rpm -i fusion-sentry-plugin-cdh-5.13.0-1.3-xxx.noarch.rpm Enter

4.2.3. Install the proxy.

Install fusion-sentry-proxy-cdh-5.13.0-1.3-xxx.noarch.rpm on each host where you want to operate a WANdisco Sentry Proxy.

Install the proxy on each host required:

# rpm -i fusion-sentry-proxy-cdh-5.13.0-1.3-xxx.noarch.rpm Enter

4.2.4. Configure the plugin.

Change current directory to /etc/wandisco/fusion/plugins/live-sentry:

# cd /etc/wandisco/fusion/plugins/live-sentry Enter

Execute the configuration script configure-sentryproxy-plugin. Provide details of how the plugin will operate:

Remote thrift host: The hostname of the existing Sentry policy server.
Remote thrift port: The port used by the existing Sentry policy server (default 8038).
Thrift authentication type: Kerberos
Thrift Kerberos server principal: The Kerberos principal used by the existing Sentry policy server.

An example:

# ./configure-sentryproxy-plugin Enter
Enter the remote thrift host: rpx02-vm0.bdfrem.wandisco.com Enter
Enter the remote thrift port [8038]: 8038 Enter
Remote thrift authentication type is kerberos (yes/no)?
 [If yes, you need to provide the principal and keytab]: yes Enter
Enter the remote thrift kerberos server principal : sentry/rpx02-vm0.bdfrem.wandisco.com@WANDISCO.HADOOP Enter
 ------------------------------------------------------------------------------------------------
* Sentry details *
Sentry Service Thrift Host: rpx02-vm0.bdfrem.wandisco.com
Sentry Service Thrift Port: 8038
Thrift Authentication Type is Kerberos: true
Thrift Kerberos Principal: sentry/rpx02-vm0.bdfrem.wandisco.com@WANDISCO.HADOOP
------------------------------------------------------------------------------------------------
Confirm the sentryproxy plugin configuration details (yes/no): yes Enter
SentryProxy plugin configuration done successfully, restart fusion server to load the plugin
--------------------------------------------------------------------------------------------
 Note: You can edit the configuration values anytime in: /etc/wandisco/fusion/plugins/live-sentry/sentryproxy-plugin-site.xml
 The fusion server must be restarted for the changes to take effect
 --------------------------------------------------------------------------------------------

Once completed, the script will produce the configuration file at /etc/wandisco/fusion/plugins/live-sentry/sentryproxy-plugin-site.xml. You can modify this file later if required. If modified, restart the WANdisco Fusion server as configuration properties are obtained on WANdisco Fusion server startup only.

4.2.5. Configure the proxy.

Change current directory to /etc/wandisco/live-sentry-proxy:

# cd /etc/wandisco/live-sentry-proxy Enter

Execute the configuration script configure-sentryproxy-server. Provide details for the operation of the WANdisco Sentry Proxy:

Listen host: The hostname or interface on which the proxy should listen for connections
Listen port: The port on which the proxy should listen for connections
Replication path: A path that matches the replication rule that you configured for dedicated use by the Fusion Plugin for Live Sentry
Remote thrift host: The hostname of the existing Sentry policy server
Remote thrift port: The port used by the existing Sentry policy server (default 8038)
Thrift authentication type: Kerberos
Sentry proxy Kerberos server keytab: The path to the keytab for the wd-sentry-proxy principal
Sentry proxy Kerberos server principal: The full wd-sentry-proxy Kerberos principal
Sentry service Kerberos server principal: The Kerberos principal used by the existing Sentry policy server.

An example:

# ./configure-sentryproxy-server Enter
# Enter the SentryProxy server listen host [0.0.0.0]: rpx02-vm4.bdfrem.wandisco.com Enter
Enter the SentryProxy server listen port [8073]: 8073 Enter
Enter the SentryProxy replication path [/sentryproxy]: /sentryproxy Enter
Enter the remote thrift host: rpx02-vm0.bdfrem.wandisco.com Enter
Enter the remote thrift port [8038]: 8038 Enter
Remote thrift authentication type is kerberos (yes/no)?
[If yes, you need to provide the principal and keytab]: yes Enter
Enter the sentry proxy kerberos server keytab : /etc/security/keytabs/wd-sentry-proxy.keytab Enter
Enter the sentry proxy kerberos server principal : wd-sentry-user/rpx02-vm4.bdfrem.wandisco.com@WANDISCO.HADOOP Enter
Enter the sentry service kerberos server principal : sentry/rpx02-vm0.bdfrem.wandisco.com@WANDISCO.HADOOP Enter
 ------------------------------------------------------------------------------------------------
*** SentryProxy server details ****
SentryProxy server listen host: rpx02-vm4.bdfrem.wandisco.com
SentryProxy server listen port: 8073
SentryProxy server replication path: /sentryproxy
**** Sentry details ****
Remote Thrift Host: rpx02-vm0.bdfrem.wandisco.com
Remote Thrift Port: 8038
Thrift Authentication Type is Kerberos: true
Sentry Proxy Kerberos Keytab: /etc/security/keytabs/wd-sentry-proxy.keytab
Sentry Proxy Kerberos Principal: wd-sentry-user/rpx02-vm4.bdfrem.wandisco.com@WANDISCO.HADOOP
Sentry Service Kerberos Principal: sentry/rpx02-vm0.bdfrem.wandisco.com@WANDISCO.HADOOP
------------------------------------------------------------------------------------------------
Do you confirm the details for configuration (yes/no): *yes Enter
SentryProxy server configuration done successfully, restart sentryproxy-server to load the sentryproxy server
--------------------------------------------------------------------------------------------------------
 Note: You can edit the configuration values anytime in: /etc/wandisco/live-sentry-proxy/sentryproxy-server-site.xml
 The sentryproxy-server must be restarted for the changes to take effect
 -------------------------------------------------------------------------------------------------------

Once completed, the script will produce the configuration file at /etc/wandisco/live-sentry-proxy/sentryproxy-server-site.xml. You can modify this file later if required. If modified, restart the WANdisco Sentry Proxy server as configuration properties are obtained on WANdisco Sentry Proxy server startup only.

5. Operation

Once configured, restart the WANdisco Fusion server to use the configuration applied:

# service fusion-server restart Enter

Then start each WANdisco Sentry Proxy:

# service sentryproxy-server start Enter

Then configure your cluster to access the Sentry server via the WANdisco Sentry Proxy. The instructions below are specific to each type of cluster service that can use Sentry for authorization. Your environment may have one or more of these services in use. Apply the instructions below selectively based on the services operating in your clusters.

5.1. Configuration

5.1.1. Configure Hive

Open the Cloudera Manager Administration Console and access the Hive service configuration tab.
Select Scope Hive (Service-Wide).
Locate the Sentry Service and ensure that sentry is enabled.

Locate the Hive Advanced Configuration Snippet (Safety Valve) for the sentry-site.xml property file and add the properties:

sentry.service.client.server.rpc-address → The WANdisco Sentry Proxy host

sentry.service.client.server.rpc-port → The WANdisco Sentry Proxy port ..

If using CDH 5.13.x or later, the sentry.service.client.server.rpc-address and sentry.service.client.server.rpc-port settings are replaced with a single sentry.service.client.server.rpc-addresses entry with a value in the form <proxy host>:<proxy thrift port>.

sentry.service.server.principal → The WANdisco Sentry Proxy principal

Locate the Server Name for Sentry Authorization for the hive.sentry.server property.
Add the same name in all Fusion-enabled zones for this property (i.e. sentry)
Save these changes.
Restart affected services.

The hive.sentry.server property must have the same value for all Fusion-enabled zones.

5.1.2. Configure HDFS

Open the Cloudera Manager Administration Console and access the HDFS service configuration tab.
Select Scope HDFS (Service-Wide).
Locate the Enable Sentry Synchronization property.
Enable Sentry synchronization.
Save these changes.
Restart affected services.

5.1.3. Configure Impala

Open the Cloudera Manager Administration Console and access the Impala service configuration tab.
Select Scope Impala (Service-Wide).
Locate the Sentry Service property and ensure that "sentry" is enabled.

Locate the Impala Service Advanced Configuration Snippet (Safety Valve) for the sentry-site.xml property file and add the properties:

sentry.service.client.server.rpc-address → The WANdisco Sentry Proxy host

sentry.service.client.server.rpc-port → The WANdisco Sentry Proxy port ..

sentry.service.server.principal → The WANdisco Sentry Proxy principal

Save these changes.
Restart affected services.

IMPALA-4951 Impala does not show database if the user only has column-level access
This issue got fixed in IMPALA 2.11.0, where as the CDH 5.9.1 will install IMPALA 2.7.0.

5.1.4. Configure Solr

Open the Cloudera Manager Administration Console and access the Solr service configuration tab.
Select Scope Solr (Service-Wide).
Locate the Sentry Service property and ensure that "sentry" is enabled.

Locate the Solr Service Advanced Configuration Snippet (Safety Valve) for the sentry-site.xml property file and add the properties:

sentry.service.client.server.rpc-address → The WANdisco Sentry Proxy host

sentry.service.client.server.rpc-port → The WANdisco Sentry Proxy port ..

sentry.service.server.principal → The WANdisco Sentry Proxy principal

Save these changes.
Restart affected services.

Steps to connect 'solrctl' shell with sentryproxy:

Create the sentry-site.xml in '/tmp/wd-sentry-conf' and update the sentryproxy server values

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <property>
      <name>sentry.service.client.server.rpc-address</name>
      <value>{wd.sentry.proxy.thrift.host}</value>
   </property>
   <property>
      <name>sentry.service.client.server.rpc-port</name>
      <value>{wd.sentry.proxy.thrift.port}</value>
   </property>
   <property>
      <name>sentry.service.server.principal</name>
      <value>{wd.sentry.proxy.server.principal}</value>
   </property>
   <property>
      <name>sentry.service.security.mode</name>
      <value>kerberos</value>
   </property>
</configuration>

wd.sentry.proxy.thrift.host → The WANdisco Sentry Proxy host
wd.sentry.proxy.thrift.port → The WANdisco Sentry Proxy port
wd.sentry.proxy.thrift.principal → The WANdisco Sentry Proxy principal

Export the SENTRY_CONF_DIR to point to /tmp/wd-sentry-conf so that the solrctl will load the custom sentry-site.xml instead the default one located in /etc/sentry/conf.

# export SENTRY_CONF_DIR=/tmp/wd-sentry-conf Enter

Now run command 'solrctl sentry <cmd>'

# solrctl sentry <cmd>

5.1.5. Configure Hue

Open the Cloudera Manager Administration Console and access the Hue service configuration tab.
Select Scope Hue (Service-Wide).
Locate the Sentry Service property and ensure that "sentry" is enabled.
Locate the Hue Service Advanced Configuration Snippet (Safety Valve) for the hue_safety_value.ini property file and add the properties:

[libsentry]
  hostname={wd.sentry.proxy.thrift.host}
  port={wd.sentry.proxy.thrift.port}

Location the Hue Service Advanced Configuration Snippet (Safety Valve) for the sentry-site.xml property file and add the properties:
1. sentry.service.client.server.rpc-address → The WANdisco Sentry Proxy host
2. sentry.service.client.server.rpc-port → The WANdisco Sentry Proxy port
3. sentry.service.server.principal → The WANdisco Sentry Proxy principal
Save these changes.
Restart affected services.

5.2. Troubleshooting

Observe information in the log files generated for the WANdisco Fusion server and the Fusion Plugin for Live Sentry to troubleshoot issues at runtime. Exceptions or log entries with a SEVERE label may represent information that can assist in determining the cause of any problem.

6. Reference Guide

6.1. API

The Fusion Plugin for Live Sentry provides a selection of REST API endpoints, detailed here. In each case, it is assumed that the Fusion Plugin for Live Sentry has been configured to use the /sentryproxy location as its replication rule.

6.1.1. Consistency Check

Initiate a consistency check to identify any inconsistencies among Sentry metadata between clusters. A consistency check can be performed for all metadata, or restricted to a specific role or group. It will be performed as a background task, associated with an identifier returned when initiated that can be used to query task status or retrieve results when the task is complete.

Initiate a consistency check for all Sentry metadata.

# curl -v -i -X POST http://<fusion-server>:8082/plugin/sentryproxy/cc?path=/sentryproxy Enter

Initiate a consistency check for a specific Sentry group.

# curl -v -i -X POST http://<fusion-server>:8082/plugin/sentryproxy/cc?path=/sentryproxy&type=group&name=hive Enter

Initiate a consistency check for a specific Sentry role.

# curl -v -i -X POST http://<fusion-server>:8082/plugin/sentryproxy/cc?path=/sentryproxy&type=role&name=role1 Enter

Check on the status of a consistency check task.

# curl -v -i -X GET http://<fusion-server>:8082/fusion/task/<task-id>; Enter

Retrieve a consistency check report.

# curl -v -i -X GET http://<fusion-server>:8082/plugin/sentryproxy/cc/report/<task-id>?path=/sentryproxy&withConsistencyReport=true Enter

6.1.2. Repair

Perform a repair to resolve inconsistencies that have been identified by a consistency check. You will need to provide the name of the zone that should be used as the source of truth, and specify whether or not to preserve existing Sentry metadata in other zones that would otherwise not be modified through repair.

Repair is normally only required for the transfer of pre-existing Sentry metadata between clusters. Once operational, the Fusion Plugin for Live Sentry will replicate changes to Sentry metadata as they occur.

Perform a repair.

# curl -v -i -X POST https://<fusion-server>:8082/plugin/sentryproxy/repair/<cc-task-id>/repair?srcZone=<zone-name>&preserve=true Enter