Customizing authorization-migration-site.xml
You can customize the default behavior of the Sentry to Ranger policy migration, using a safety valve in Cloudera Manager.
authorization.migration.export.output_file = hdfs:///user/sentry/export-permissions/permissions.json authorization.migration.ingest.is_dry_run = false authorization.migration.role.permissions = true authorization.migration.translate.url.privileges = false authorization.migration.ingest.merge.ifexists = true authorization.migration.export.target_services = HIVE,KAFKA authorization.migration.migrate.url.privileges = true authorization.migration.export.migration_objects = "" authorization.migration.object.filter = ""
You can now customize these configurations, using the Ranger Admin Advanced Configuration Snippet (Safety Valve) for conf/authorization-migration-site.xml "safety valve" in Cloudera Manager.
For example, setting the values of the following properties is required to update the location prefix in all URI privileges during the import:
authorization.migration.translate.url.privileges = true authorization.migration.destination.location.prefix = hdfs://<new_cdp_nameservice>
To customize properties:
- In type authorization-migration-site.xml, then click Search.
- In Ranger-1 > Ranger Admin Default Group, click +(Add).
- In Name, type a property name, such as authorization.migration.translate.url.privileges.
- In Value, type a property value, such as true.
- Click Save Changes.
- Repeat steps 2-5 for each property that you want to customize.
Currently, while running the Importing Sentry privileges into Ranger policies step to import the old Sentry grants to Ranger, with the following configs in the Ranger Admin Advanced Configuration Snippet (Safety Valve) for conf/authorization-migration-site.xml:
authorization.migration.translate.url.privileges=true
and
authorization.migration.destination.location.prefix=[hdfs://ns1]
The file:// Sentry URI grants are created as hdfs:// URL policies in Ranger.
For example:
file:///opt/cgfiles/common/jdbc/my_udf-0.2.2.jar
becomes
[hdfs://ns1/opt/cgfiles/common/jdbc/my_udf-0.2.2.jar]
CDPD-61445 added a new config authorization.migration.url.ignore.scheme in which we can add multiple, comma-separated file system prefixes. The values provided in config will not update to prefix provided in property authorization.migration.destination.location.prefix while importing Sentry privileges into Ranger policies.
In case, if authorization.migration.translate.url.privileges=true
and
authorization.migration.destination.location.prefix=[hdfs://ns1] are already set and if we set authorization.migration.url.ignore.scheme = file, then any url policy with file prefix would not be replaced by hdfs://ns1 during import.
For example:
file:///opt/cgfiles/common/jdbc/my_udf-0.2.2.jar
remains
file:///opt/cgfiles/common/jdbc/my_udf-0.2.2.jar
Currently during AuthzMigrator Export, all Sentry data (Dbs/Tbls/Urls) are exported from sentry to permission.json.
CDPD-63485 provides a customer option to export Sentry data only for given Hive objects (databases and tables and the respective URLs).
You can use theauthorization.migration.export.migration_objects configuration property in authorization-migration-site.xml to provide Hive object details at the time of Sentry export.
While providing config value, use the following format:
single database. →db={db_name} eg. db=dio_work
single table →db=dio_work/tbl=ur_cdp_upgrade_ext (database and table should be separated by /)
Multiple databases →db=dio_work/tbl=.*,db=dio_work_2/tbl=.* (databases should be comma separated)
Multiple tables →db=dio_work/tbl=ur_cdp_upgrade_ext,db=dio_work/tbl=ur_cdp_upgrade_mngd
All tables of database →db=dio_work/tbl=.*
All databases and all tables →db=.*/tbl=.*
For example:
authorization.migration.export.migration_objects = db=dio_work/tbl=ur_cdp_upgrade_ext,db=dio_work/tbl=ur_cdp_upgrade_mngd
