Customizing authorization-migration-site.xml

You can customize the default behavior of the Sentry to Ranger policy migration, using a safety valve in Cloudera Manager.

Ranger configurations now expose a safety-valve for authorization-migration-site.xml to allow users to customize properties that control migration of policies from Sentry to Ranger. Ranger embeds a default set of configurations in authorization-migration-site.xml, for example, in Ranger 7.1.7:
authorization.migration.export.output_file = hdfs:///user/sentry/export-permissions/permissions.json
authorization.migration.ingest.is_dry_run = false
authorization.migration.role.permissions = true
authorization.migration.translate.url.privileges = false
authorization.migration.ingest.merge.ifexists = true
authorization.migration.export.target_services = HIVE,KAFKA
authorization.migration.migrate.url.privileges = true
authorization.migration.export.migration_objects = ""
authorization.migration.object.filter = ""

You can now customize these configurations, using the Ranger Admin Advanced Configuration Snippet (Safety Valve) for conf/authorization-migration-site.xml "safety valve" in Cloudera Manager.

For example, setting the values of the following properties is required to update the location prefix in all URI privileges during the import:

authorization.migration.translate.url.privileges = true
authorization.migration.destination.location.prefix = hdfs://<new_cdp_nameservice>

To customize properties:

  1. In Cloudera Manager > Configuration > Search type authorization-migration-site.xml, then click Search.
  2. In Ranger-1 > Ranger Admin Default Group, click +(Add).
  3. In Name, type a property name, such as authorization.migration.translate.url.privileges.
  4. In Value, type a property value, such as true.
  5. Click Save Changes.
  6. Repeat steps 2-5 for each property that you want to customize.
Each property/value pair that you save adds a property or overwrites the default value assigned to that property in authorization-migration-site.xml.

Currently, while running the Importing Sentry privileges into Ranger policies step to import the old Sentry grants to Ranger, with the following configs in the Ranger Admin Advanced Configuration Snippet (Safety Valve) for conf/authorization-migration-site.xml:

authorization.migration.translate.url.privileges=true

and

authorization.migration.destination.location.prefix=[hdfs://ns1]

The file:// Sentry URI grants are created as hdfs:// URL policies in Ranger.

For example:

file:///opt/cgfiles/common/jdbc/my_udf-0.2.2.jar

becomes

[hdfs://ns1/opt/cgfiles/common/jdbc/my_udf-0.2.2.jar]

CDPD-61445 added a new config authorization.migration.url.ignore.scheme in which we can add multiple, comma-separated file system prefixes. The values provided in config will not update to prefix provided in property authorization.migration.destination.location.prefix while importing Sentry privileges into Ranger policies.

In case, if authorization.migration.translate.url.privileges=true

and

authorization.migration.destination.location.prefix=[hdfs://ns1] are already set and if we set authorization.migration.url.ignore.scheme = file, then any url policy with file prefix would not be replaced by hdfs://ns1 during import.

For example:

file:///opt/cgfiles/common/jdbc/my_udf-0.2.2.jar

remains

file:///opt/cgfiles/common/jdbc/my_udf-0.2.2.jar

Currently during AuthzMigrator Export, all Sentry data (Dbs/Tbls/Urls) are exported from sentry to permission.json.

CDPD-63485 provides a customer option to export Sentry data only for given Hive objects (databases and tables and the respective URLs).

You can use theauthorization.migration.export.migration_objects configuration property in authorization-migration-site.xml to provide Hive object details at the time of Sentry export.

While providing config value, use the following format:

single database. →db={db_name} eg. db=dio_work

single table →db=dio_work/tbl=ur_cdp_upgrade_ext (database and table should be separated by /)

Multiple databases →db=dio_work/tbl=.*,db=dio_work_2/tbl=.* (databases should be comma separated)

Multiple tables →db=dio_work/tbl=ur_cdp_upgrade_ext,db=dio_work/tbl=ur_cdp_upgrade_mngd

All tables of database →db=dio_work/tbl=.*

All databases and all tables →db=.*/tbl=.*

For example:

authorization.migration.export.migration_objects = db=dio_work/tbl=ur_cdp_upgrade_ext,db=dio_work/tbl=ur_cdp_upgrade_mngd