Consolidating policies created by Authzmigrator

Sentry (CDH) had an object ownership feature, which added ownership permissions for all the databases/tables created. This feature was added in CDH-5.16 and supported through CDH-6.2. After enabling the ownership feature Sentry would grant owner permission for all the databases/tables created after enablment.

After migrating Sentry permisions to Ranger policies, the default policies in Ranger give "all permissions" to the owner of the objects for that particular object of which they are owner.

Ranger default policies for Hadoop Sql

Policy Name User Permissions

all - database, table, column

{OWNER}

all permissions

all - database, table

{OWNER}

all permissions

all - database, udf

{OWNER}

all permissions

all - database

{OWNER}

all permissions

After migration from Sentry:
  • All the users who have {OWNER} permissions on objects, such as databases/tables, will get All the permissions from above default Ranger policies.
  • Above Ranger policies will be applicable only to objects for whom they are the owner.
  • Even if Sentry does not have owner mapping, in other words, the ownership feature is disabled, this scenario holds true.

You can add the following property in authorization-migration-site.xml and get rid of OWNER policy creation for each every OWNER-MAPPING in Sentry.

<property>
    <name>authorization.migration.skip.owner.policy</name>
    <value>true</value>
  </property>

Migrating Sentry - Ranger with Ownership Feature Enaabled

Scenario:

Ownership feature enabled in Sentry. After enabling ownership feature, Sentry would have owner permission for all the databases/tables created after enabling this feature.

Case:

Bob created 1000 tables tab1, tab2, tab2 ... tab1000 under database demoDB.

Since ownership feature enabled, Sentry will have OWNER-MAPPING.

After migration from Sentry to Ranger using Authzmigrator tool Ranger will have 1000 OWNER policies for each mapping in sentry. However, Ranger already has default OWNER policies. There is no need to have individual table level OWNER policies. These 1000 policies will be hard to administer from the Ranger UI.

To avoid creating so many policies in Ranger, add "authorization.migration.skip.owner.policy" = true in authorization-migration-site.xml before migrating/importing Sentry into Ranger.