Customizing authorization-migration-site.xml

You can customize the default behavior of the Sentry to Ranger policy migration, using a safety valve in Cloudera Manager.

Ranger configurations now expose a safety-valve for authorization-migration-site.xml to allow users to customize properties that control migration of policies from Sentry to Ranger. Ranger embeds a default set of configurations in authorization-migration-site.xml, for example, in Ranger 7.1.7:
authorization.migration.export.output_file = hdfs:///user/sentry/export-permissions/permissions.json
authorization.migration.ingest.is_dry_run = false
authorization.migration.role.permissions = true
authorization.migration.translate.url.privileges = false
authorization.migration.ingest.merge.ifexists = true
authorization.migration.export.target_services = HIVE,KAFKA
authorization.migration.migrate.url.privileges = true
authorization.migration.export.migration_objects = ""
authorization.migration.object.filter = ""

You can now customize these configurations, using the Ranger Admin Advanced Configuration Snippet (Safety Valve) for conf/authorization-migration-site.xml "safety valve" in Cloudera Manager.

For example, setting the values of the following properties is required to update the location prefix in all URI privileges during the import:

authorization.migration.translate.url.privileges = true
authorization.migration.destination.location.prefix = hdfs://<new_cdp_nameservice>

To customize properties:

  1. In Cloudera Manager > Configuration > Search type authorization-migration-site.xml, then click Search.
  2. In Ranger-1 > Ranger Admin Default Group, click +(Add).
  3. In Name, type a property name, such as authorization.migration.translate.url.privileges.
  4. In Value, type a property value, such as true.
  5. Click Save Changes.
  6. Repeat steps 2-5 for each property that you want to customize.
Each property/value pair that you save adds a property or overwrites the default value assigned to that property in authorization-migration-site.xml.