You can customize the default behavior of the Sentry to Ranger policy migration, using a safety valve in Cloudera Manager.
Ranger configurations now expose a safety-valve for authorization-migration-site.xml to allow users to customize properties that control migration of policies from Sentry to Ranger. Ranger embeds a default set of configurations in authorization-migration-site.xml, for example, in Ranger 7.1.7:
authorization.migration.export.output_file = hdfs:///user/sentry/export-permissions/permissions.json authorization.migration.ingest.is_dry_run = false authorization.migration.role.permissions = true authorization.migration.translate.url.privileges = false authorization.migration.ingest.merge.ifexists = true authorization.migration.export.target_services = HIVE,KAFKA authorization.migration.migrate.url.privileges = true authorization.migration.export.migration_objects = "" authorization.migration.object.filter = ""
You can now customize these configurations, using the Ranger Admin Advanced Configuration Snippet (Safety Valve) for conf/authorization-migration-site.xml "safety valve" in Cloudera Manager.
For example, setting the values of the following properties is required to update the location prefix in all URI privileges during the import:
authorization.migration.translate.url.privileges = true authorization.migration.destination.location.prefix = hdfs://<new_cdp_nameservice>
To customize properties:
- In Search. type authorization-migration-site.xml, then click
- In Ranger-1 > Ranger Admin Default Group, click +(Add).
- In Name, type a property name, such as authorization.migration.translate.url.privileges.
- In Value, type a property value, such as true.
- Click Save Changes.
- Repeat steps 2-5 for each property that you want to customize.