Transforming Ranger HDFS policies into Ranger S3 policies

Learn how to transform Ranger HDFS service policies into Ranger AWS S3 policies, which can then be imported into the Cloudera cluster Ranger.

  • You must have converted the extracted Ranger HDFS native permissions (.csv file) into Ranger HDFS policies (.json file) using the transform.sh convert command.
  • You must have copied the Ranger policy migration utility, ranger-<version>-policymigration.tar.gz file to the migration cluster node.
    1. Log in to the migration cluster's node (or a Data Lake node of a cloud cluster) where the ranger-admin binaries are available. For example, /opt/cloudera/parcels/CDH/lib/ranger-admin
    2. Copy /opt/cloudera/parcels/CDH/lib/ranger-admin/policymigration/ranger-<version>-policymigration.tar.gz to some location of the migration cluster machine from where you want to run the Ranger policy migration utility.
  • You must have read, write, and execute permissions on the directory where the Ranger policy migration utility is copied.
  • You must have SUDO or ROOT access to perform the migration process.
  1. Log in to the migration cluster node where you have copied the ranger-<version>-policymigration.tar.gz file. Untar the file and navigate to ranger-<version>-policymigration directory.
  2. Update the "Transform" part of the env.sh file by updating the following parameters or as required for your environment.
    • S3_BUCKET_NAME
    • SERVICE_NAME_FOR_NATIVE_POLICIES

    For more information, see Supported Input parameters for Transform operation.

  3. Run the transform.sh script with the transform command to convert the Ranger HDFS policies to Ranger AWS S3 policy format.
    Syntax:
    ./transform.sh transform $converted_ranger_policies_file_path
    Example:
    ./transform.sh transform /tmp/HDFS_Permissions_Export_<timestamp>_convert.json
The command generates a HDFS_Permissions_Export_<timestamp>_convert_transform.json file, which can then be imported using the Authzmigrator utility into the AWS S3 service of the target Cloudera cluster. If you encounter any errors, see the logs/ranger-policymigration.log file.
Import the transformed HDFS native permissions into the Ranger AWS S3 service of the target Cloudera cluster using the Authzmigrator tool.