Migrating Security and Governance Data from CDH to CDP

How to migrate security and governance data from CDH to CDP.

Sentry to Ranger

  • Hive/Impala replication in the Replication Manager can be used to convert and migrate Sentry policies to Ranger (for CDP Public Cloud).
  • Kafka and Solr permissions must be manually converted to Ranger policies.
  • HDFS ACLs that are automatically set up by Sentry must be manually converted to Ranger policies.

Key Trustee Server, Key Trustee KMS, Key HSM, HSM KMS

Use BDR/Replication Manager to migrate encrypted data to CDP Public Cloud or CDP Data Center.


  • Migrate data from encrypted volumes to Cloud-native encrypted storage (for CDP Public Cloud) or to another NavEncrypt encrypted volume (in CDP Data Center).
  • Data re-encryption will take place during the migration.

Navigator to Atlas Migration

  • CDP has Atlas wired up to all workloads. Ported workloads will recreate lineage.
  • Navigator-managed metadata tags and any manually entered data must be manually ported to Atlas Business Metadata Tags.
  • Any applications using the Navigator SDK must be ported to use Atlas APIs.
  • Navigator Audit information is not ported. To retain legacy audit information you can maintain a read-only Navigator instance until it is no longer needed. You may need to upgrade Cloudera Manager or Navigator on the legacy cluster to a newer version to avoid end-of-life issues.