Migrating from Sentry to Ranger

Before deciding to migrate from Sentry to Ranger, read the Sentry to Ranger Concise Guide and the topics in this guide.

The Sentry to Ranger Concise Guide blog post describes fundamental differences between Sentry and Ranger, compares the two products, and provides additional information that helps prepare you for your migration.

Read the topics in this section for information about preparing to migrate Sentry permssions to Ranger policies and topics that describe how to migrate once you are ready.

Sentry (CDH) had an object ownership feature, which added ownership permissions for all the databases/tables created. This feature was added in CDH-5.16 and supported through CDH-6.2. After enabling the ownership feature Sentry would grant owner permission for all the databases/tables created after enablment.

Ranger default policies for Hadoop Sql

Policy Name User Permissions

all - database, table, column

{OWNER}

all permissions

all - database, table

{OWNER}

all permissions

all - database, udf

{OWNER}

all permissions

all - database

{OWNER}

all permissions

After migration from Sentry:
  • All the users who have {OWNER} permissions on objects, such as databases/tables, will get All the permissions from above default Ranger policies.
  • Above Ranger policies will be applicable only to objects for whom they are the owner.
  • Even if Sentry does not have owner mapping, in other words, the ownership feature is disabled, this scenario holds true.
  • Sentry roles that are empty and have no privileges are not copied over to Ranger after upgrade, like roles created with Sentry enabled.

    For example:
    CREATE ROLE <role name>;
    but no grants for the role executed like below: 
    GRANT <privilege> on <object> TO ROLE <ROLE>;
    Wont be migrated.