Cloudera Docs

Mapping Sentry permissions for Solr to Ranger policies

Use the mapping reference table to create Ranger policies that reflect the privileges defined for Solr in your Sentry permissions.

Sentry has the following objects for Solr:
  • admin
  • collection
  • config
  • schema

The admin object type controls access to administrative actions through the following privilege objects:

  • collection

  • cores

  • security

  • metrics

  • autoscaling

Ranger has only one object right now, which is collection. Permissions for collections are of type:

  • SolrAdmin

  • Query

  • Update

  • Other

Table 1. Ranger policies required to set equivalent access that Sentry privileges allowed
Sentry privilege Ranger policy
Collections

admin=collections - action=UPDATE

collection=<aliasName> - action=UPDATE

 All collections - permission SolrAdmin

admin=collections - action=UPDATE

collection=<collectionName> - action=UPDATE

 Policy for <collectionName>, permissions: SolrAdmin
admin=collections - action=UPDATE All collections - permissions: SolrAdmin

admin=collections - action=QUERY

collection=<collectionName> - action=QUERY

 Policy for <collectionName> - permissions: SolrAdmin
Cores

admin=cores - action=UPDATE

collection=<coreName> - action=UPDATE

 All collections - permission: SolrAdmin

admin=cores - action=QUERY

collection=<coreName> - action=QUERY

 All collections - permission: SolrAdmin
Configs
config=<configName> - action=* All collections = permission: SolrAdmin
Non-Administrative
collection=<collectionName> - action=QUERY Policy for <collectionName> - permissions: Query, Others
collection=<collectionName> - action=UPDATE Policy for <collectionName> - permissions: Update