Sentry to Ranger replication for Hive replication policies
When you create or edit a Hive replication policy, you can choose to migrate the Sentry policies for Hive objects, Impala data, and URLs that are being replicated. The Replication Manager converts the Sentry policies to Ranger policies for the migrated data in the target cluster. The minimum supported Cloudera Manager version 6.3.1 and above is required to replicate Sentry policies to Ranger.
In a Hive replication policy, if you choose the If Sentry permissions were exported from the CDH cluster, import both Hive object and URL permissions or If Sentry permissions were exported from the CDH cluster, import only Hive object permissions option, the Replication Manager performs the following tasks automatically during the replication job run:
- Exports each Sentry policy as a single JSON file using the authzmigrator tool. The JSON file contains a list of resources, such as URI, database, table, or column and the policies that apply to it.
- Copies the exported Sentry policies to the target cluster using the DistCp tool.
- Ingests the Sentry policies into Ranger after filtering the policies related to the replication job using the authzmigrator tool through the Ranger rest endpoint. To filter the policies, the Replication Manager uses a filter expression that is passed to the authzmigrator tool by Cloudera Manager.