Shell for import/export
The following arguments are added to sentry’s config-tool for import/export:
For import:
sentry -command config-tool -I <filepath> -o -I,--import <filepath> The path of import policy file -o,--overwrite Overwrite the exist role data when do the import, default is true |
|---|
For export:
sentry -command config-tool -E <filepath> -b <specific auth object> -E,--export <filepath> The path of export policy file -b,--objectPath <specific auth object> Optional, the specific authorization object for export eg: sentry -command config-tool -E /tmp/export.ini -b db=db1->table=table1 |
|---|
File format
For the policy file format, the interface SentryPolicyFileFormatter is responsible for this. The implemented class can be configured in the sentry-site.xml as the following:
| Config Property | Value | Default | Required |
|---|---|---|---|
| sentry.hive.policy.file.formatter | The value must be the subclass of org.apache.sentry.binding.hive.SentryPolicyFileFormatter | org.apache.sentry.binding.hive.SentryIniPolicyFileFormatter | No |
The following is the example for the default policy file format of import/export (as INI file format):
[groups] group1=role1,role2 group2=role1,role2,role3 group3=role2,role3 [roles] role1=server=server1,server=server1->action=select->grantoption=false role2=server=server1->db=db2->action=insert->grantoption=true role3=server=server1->db=db1->table=tbl2->column=col1->action=insert,server=server1->db=db1->table=tbl3->column=col1->action=*->grantoption=true,server=server1->uri=hdfs://testserver:9999/path2->action=insert |
|---|
Authorization
Only user with the sentry-admin group can do the import/export. The sentry-admin group can be configured in sentry-site.xml as the following:
| Config Property | Value | Default | Required |
|---|---|---|---|
| sentry.service.admin.group | eg: sentry_admin_group1,sentry_admin_group2 | No |