Sentry to Ranger replication for Hive external tables
When you create or edit a Hive external table replication policy, you can choose to migrate the Sentry policies for Hive objects, Impala data, and URLs that are being replicated. Replication Manager converts the Sentry policies to Ranger policies for the migrated data in the target cluster. Cloudera Manager version 6.3.1 and higher is required to replicate Sentry policies to Ranger.
In a Hive external table replication policy, if you choose the If Sentry permissions were exported from the CDH cluster, import both Hive object and URL permissions or If Sentry permissions were exported from the CDH cluster, import only Hive object permissions option, Replication Manager performs the following tasks automatically during the replication job run:
- Exports each Sentry policy as a single JSON file using the authzmigrator tool. The JSON file contains a list of resources, such as URI, database, table, or column and the policies that apply to it.
- Copies the exported Sentry policies to the target cluster using the DistCp tool.
- Ingests the Sentry policies into Ranger after filtering the policies related to the replication job using the authzmigrator tool through the Ranger rest endpoint. To filter the policies, the Replication Manager uses a filter expression that is passed to the authzmigrator tool by Cloudera Manager.