Transitioning the Sentry service to Apache Ranger

Before transitioning your cluster to CDP Private Cloud Base, you must prepare the Apache Sentry authorization privileges so they can be converted to Apache Ranger permissions. Apache Ranger supports the components like HDFS, Hive, and YARN. Apache Ranger functions as a centralized security administrator and provides greater access controls and auditing capabilities.

Perform the following steps after you have upgraded Cloudera Manager to version 7.1 or higher:

  1. Export Sentry Permissions. In the Cloudera Manager Admin Console, go to the Sentry service and select Actions > Export Permissions.

    The authzmigrator tool creates the /user/sentry/export-permissions/permissions.json file in HDFS. This file contains the Sentry metadata required for Ranger to recreate the roles and permissions.

  2. Make sure a MySQL, Oracle, or PostgreSQL database instance is running and available to be used by Ranger before you create a new cluster or upgrade your cluster from CDH to Cloudera Runtime. See the links below for procedures to set up these databases.
  3. After you have set up the database, you can continue upgrading the cluster.

After the upgrade, Sentry privileges are converted in to Ranger service policies. For more information about how these privileges appear in Ranger, see Sentry to Ranger Permissions.