Authorization Provider for Impala

In CDP, Ranger is the authorization provider instead of Sentry. There are some changes with how Ranger enforces a policy which may be different from using Sentry.

New behavior:

  • The CREATE ROLE, GRANT ROLE, SHOW ROLE statements are not supported as Ranger currently does not support roles.
  • When a particular resource is renamed, currently, the policy is not automatically transferred to the newly renamed resource.
  • SHOW GRANT with an invalid user/group does not return an error.

The following table lists the different access type requirements to run SQL statements in Impala.

SQL Statement Impala Access Requirement
DESCRIBE view VIEW_METADATA on the underlying tables
ALTER TABLE RENAME

ALTER VIEW RENAME

ALL on the target table / view

ALTER on the source table / view

SHOW DATABASES

SHOW TABLES

VIEW_METADATA

where:

  • VIEW_METADATA privilege denotes the SELECT, INSERT, or REFRESH privileges.
  • ALL privilege denotes the SELECT, INSERT, CREATE, ALTER, DROP and REFRESH privileges.

For more information on the minimum level of privileges and the scope required to execute SQL statements in Impala, see Impala Authorization.

Migrating Sentry Policies

When upgrading from CDH to CDP, all SQL permissions and Kafka permissions will be migrated. However if you must migrate some sentry policies from your CDH environment to the new environment you can use the Replication Manager service available in CDH. This service migrates Sentry authorization policies into Ranger as part of the replication policy. Sentry policy migration takes place as part of a replication policy job. When you create the replication policy, choose the resources that you want to migrate and the Sentry policies will be migrated for those resources.

For more information on using the Replication Manager service to migrate Sentry policies, see Sentry Policy Replication.