Authorization Provider for Impala
In CDP, Ranger is the authorization provider instead of Sentry. There are some changes with how Ranger enforces a policy which may be different from using Sentry.
New behavior:
- The
CREATE ROLE
,GRANT ROLE
,SHOW ROLE
statements are not supported as Ranger currently does not support roles. - When a particular resource is renamed, currently, the policy is not automatically transferred to the newly renamed resource.
SHOW GRANT
with an invalid user/group does not return an error.
The following table lists the different access type requirements to run SQL statements in Impala.
SQL Statement | Impala Access Requirement |
---|---|
DESCRIBE
view |
VIEW_METADATA on the underlying tables |
ALTER TABLE RENAME
|
ALL on the target table / view ALTER on the source table / view |
SHOW DATABASES
|
VIEW_METADATA |
where:
- VIEW_METADATA privilege denotes the
SELECT, INSERT, or REFRESH
privileges. - ALL privilege denotes the
SELECT, INSERT, CREATE, ALTER, DROP and REFRESH
privileges.
For more information on the minimum level of privileges and the scope required to execute SQL statements in Impala, see Impala Authorization.
Migrating Sentry Policies
When upgrading from CDH to CDP, all SQL permissions and Kafka permissions will be migrated. However if you must migrate some sentry policies from your CDH environment to the new environment you can use the Replication Manager service available in CDH. This service migrates Sentry authorization policies into Ranger as part of the replication policy. Sentry policy migration takes place as part of a replication policy job. When you create the replication policy, choose the resources that you want to migrate and the Sentry policies will be migrated for those resources.
For more information on using the Replication Manager service to migrate Sentry policies, see Sentry Policy Replication.