Authorization Provider for Impala
In CDP, Ranger is the authorization provider instead of Sentry. There are some changes with how Ranger enforces a policy which may be different from using Sentry.
SHOW ROLEstatements are not supported as Ranger currently does not support roles.
- When a particular resource is renamed, currently, the policy is not automatically transferred to the newly renamed resource.
SHOW GRANTwith an invalid user/group does not return an error.
The following table lists the different access type requirements to run SQL statements in Impala.
|SQL Statement||Impala Access Requirement|
||VIEW_METADATA on the underlying tables|
||ALL on the target table / view
ALTER on the source table / view
- VIEW_METADATA privilege denotes the
SELECT, INSERT, or REFRESHprivileges.
- ALL privilege denotes the
SELECT, INSERT, CREATE, ALTER, DROP and REFRESHprivileges.
For more information on the minimum level of privileges and the scope required to execute SQL statements in Impala, see Impala Authorization.
Migrating Sentry Policies
When upgrading from CDH to CDP, all SQL permissions and Kafka permissions will be migrated. However if you must migrate some sentry policies from your CDH environment to the new environment you can use the Replication Manager service available in CDH. This service migrates Sentry authorization policies into Ranger as part of the replication policy. Sentry policy migration takes place as part of a replication policy job. When you create the replication policy, choose the resources that you want to migrate and the Sentry policies will be migrated for those resources.
For more information on using the Replication Manager service to migrate Sentry policies, see Sentry Policy Replication.