Cloudera Docs

Converting HDFS native permissions into Ranger HDFS policies

Learn how to convert the extracted HDFS native permissions into Ranger HDFS service policies, which can then be transformed into Ranger S3 policies.

  • The source and target migration clusters must be running the following supported versions:
    • Source cluster: HDP 2.6.5, HDP 3.1.5, CDH 5.16, CDH 6.3
    • Target cluster: CDP 7.2.15 or higher
  • You must have copied the extracted HDFS native permissions (.csv file) into the migration cluster node.
  • You must have copied the Ranger policy migration utility, ranger-<version>-policymigration.tar.gz file to the migration cluster node.
    1. Log in to the migration cluster's node (or a Data Lake node of a cloud cluster) where the ranger-admin binaries are available. For example, /opt/cloudera/parcels/CDH/lib/ranger-admin
    2. Copy /opt/cloudera/parcels/CDH/lib/ranger-admin/policymigration/ranger-<version>-policymigration.tar.gz to some location of the migration cluster machine from where you want to run the Ranger policy migration utility.
  • You must have read, write, and execute permissions on the directory where the Ranger policy migration utility is copied.
  • You must have SUDO or ROOT access to perform the migration process.
  1. Log in to the migration cluster node where you have copied the ranger-<version>-policymigration.tar.gz file. Untar the file and navigate to the ranger-<version>-policymigration directory.
  2. Update the “Transform” part of the env.sh file with the right set of values according to your environment.
    For more information, see Supported Input parameters for Transform operation.
  3. Run the transform.sh script with the convert command to convert the extracted HDFS native permissions to Ranger HDFS policy format. 
    Syntax:
./transform.sh convert $native_hdfs_permissions_csv_file_path
    Example:
./transform.sh convert /tmp/HDFS_Permissions_Export_<timestamp>.csv
The command generates a HDFS_Permissions_Export_<timestamp>_convert.json file, which is then transformed into the required Ranger S3 policies. If you encounter any errors, see the logs/ranger-policymigration.log file.
Transform the converted Ranger HDFS policies into Ranger S3 policies.