Transitioning the Sentry service to Apache Ranger

Before transitioning your cluster to CDP Private Cloud Base, you must move the authorization privileges from Apache Sentry to Apache Ranger. Apache Ranger supports the components like HDFS, Hive, and YARN. Apache Ranger functions as a centralized security administrator and provides greater access controls and auditing capabilities.

Perform the following steps after you have upgraded Cloudera Manager to version 7.1 or higher:

  1. Export Sentry Permissions. In the Cloudera Manager Admin Console, go to the Sentry service and select Actions > Export Permissions.
  2. Make sure a MySQL, Oracle, or PostgreSQL database instance is running and available to be used by Ranger before you create a new cluster or upgrade your cluster from CDH to Cloudera Runtime. See the links below for procedures to set up these databases.
  3. After you have set up the database, you can continue upgrading the cluster.

After the upgrade, Sentry privileges are converted in to Ranger service policies. For more information about how these privileges appear in Ranger, see Sentry to Ranger Permissions.