How to use Apache Sentry Java Client API & is there a user guide documentation?

Question

I am trying to operate Sentry in our CDH cluster using its Java Client API. Since I haven't found any related documentation about this (very little useful information on its official site), I just guess and write. Now some exception came up and I cannot solve it. So I am wondering whether there are documentations about how to use Sentry's Java API.

Below is the code I have written:

package com.playground;

import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.api.service.thrift.TSentryRole;
import org.apache.sentry.service.thrift.SentryServiceClientFactory;

import java.util.Set;

public class SentryClientTest {
    public static void main(String[] args) {
        Configuration conf = new Configuration();
        conf.addResource("sentry-site.xml");
        try {
            SentryPolicyServiceClient client = SentryServiceClientFactory.create(conf);
            Set<TSentryRole> roles= client.listAllRoles("myname");
            for (TSentryRole role : roles) {
                System.out.println(role);
            }
        } catch (Exception e) {
            e.printStackTrace();
        }

    }
}

sentry-site.xml is copied from /etc/sentry/sentry-site.xml, its content is like this:

<?xml version="1.0" encoding="UTF-8"?>

<!--Autogenerated by Cloudera Manager-->
<configuration>
  <property>
    <name>sentry.service.server.principal</name>
    <value>sentry/_HOST@SOME_REALM</value>
  </property>
  <property>
    <name>sentry.service.security.mode</name>
    <value>kerberos</value>
  </property>
  <property>
    <name>sentry.service.client.server.rpc-address</name>
    <value>some-hostname</value>
  </property>
  <property>
    <name>sentry.service.client.server.rpc-port</name>
    <value>8038</value>
  </property>
  <property>
    <name>sentry.service.client.server.rpc-addresses</name>
    <value>hostname1:8038,hostname2:8038</value>
  </property>
</configuration>

The exception message:

org.apache.sentry.core.common.exception.SentryUserException: GSS initiate failed
    at org.apache.sentry.core.common.transport.RetryClientInvocationHandler.connect(RetryClientInvocationHandler.java:166)
    at org.apache.sentry.core.common.transport.RetryClientInvocationHandler.invokeImpl(RetryClientInvocationHandler.java:90)
    at org.apache.sentry.core.common.transport.SentryClientInvocationHandler.invoke(SentryClientInvocationHandler.java:41)
    at com.sun.proxy.$Proxy2.listAllRoles(Unknown Source)
    at com.playground.SentryClientTest.main(SentryClientTest.java:17)
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
    at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
    at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
    at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
    at org.apache.sentry.core.common.transport.SentryTransportFactory$UgiSaslClientTransport.baseOpen(SentryTransportFactory.java:183)
    at org.apache.sentry.core.common.transport.SentryTransportFactory$UgiSaslClientTransport.access$100(SentryTransportFactory.java:141)
    at org.apache.sentry.core.common.transport.SentryTransportFactory$UgiSaslClientTransport$1.run(SentryTransportFactory.java:168)
    at org.apache.sentry.core.common.transport.SentryTransportFactory$UgiSaslClientTransport$1.run(SentryTransportFactory.java:166)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1754)
    at org.apache.sentry.core.common.transport.SentryTransportFactory$UgiSaslClientTransport.open(SentryTransportFactory.java:166)
    at org.apache.sentry.core.common.transport.SentryTransportFactory.connectToServer(SentryTransportFactory.java:99)
    at org.apache.sentry.core.common.transport.SentryTransportFactory.getTransport(SentryTransportFactory.java:86)
    at org.apache.sentry.core.common.transport.SentryTransportPool$PoolFactory.create(SentryTransportPool.java:302)
    at org.apache.sentry.core.common.transport.SentryTransportPool$PoolFactory.create(SentryTransportPool.java:271)
    at org.apache.commons.pool2.BaseKeyedPooledObjectFactory.makeObject(BaseKeyedPooledObjectFactory.java:62)
    at org.apache.commons.pool2.impl.GenericKeyedObjectPool.create(GenericKeyedObjectPool.java:1041)
    at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:380)
    at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:279)
    at org.apache.sentry.core.common.transport.SentryTransportPool.getTransport(SentryTransportPool.java:183)
    at org.apache.sentry.api.service.thrift.SentryPolicyServiceClientDefaultImpl.connect(SentryPolicyServiceClientDefaultImpl.java:100)
    at org.apache.sentry.core.common.transport.RetryClientInvocationHandler.connect(RetryClientInvocationHandler.java:141)
    ... 4 more

I guess it has something to do with kerberos but I cannot figure it out. Any help is appreciated.