Importing Sentry permissions into Ranger

You must import the Sentry permissions to CDP cluster Ranger.

  1. Login to the RANGER_ADMIN portal with administrator user credentials or user privileges as ADMIN
    1. Under Settings > Users/Groups/Roles > Search for the ranger user.
    2. Click on the ranger user and change its role to Admin and save the changes.
  2. Confirm authz-ingest.zip is available under '/opt/cloudera/cm/lib/dr/' path. If authz-ingest.zip is not available, contact Cloudera customer support to provide it. Once you have authz-ingest.zip, copy to the /opt directory of the migration cluster node (or a Data Lake node of the cloud cluster).
  3. Unzip the authz-ingest.zip into the /opt directory, which contains the following files:
    • config-files
    • scripts

    The config-files contains the following:

    authorization-migration-site.xml

    ranger-hive-security.xml

    ranger-kafka-security.xml

    ranger-plugin-policymgr-ssl.xml

  4. Ranger is TLS/SSL enabled using Cloudera Manager AUTO-TLS. From the Ranger admin host, copy cm-auto-global_truststore.jks (from the Ranger-admin process directory) to the following location:
    /opt/authz-ingest/config-files/ of the migration tool host.
    Steps to find the ranger admin process directory:
      • Execute the below command to get the RANGER_ADMIN process.

        ps -ef | grep proc_rangeradmin

      • Search for -cp option from the above command output and look for "/var/run/cloudera-scm-agent/process/<ID>-ranger-RANGER_ADMIN"

      If you have done SSL setup manually or in a different method, copy the filename which you created for truststores.

      For example: cp /path/to/cm-auto-global_truststore.jks /opt/authz-ingest/config-files/
  5. Export the following variables:
    • JAVA_HOME - Java home path used on the cluster
    • RANGER_ADMIN_URL - Ranger Admin portal url
    • RANGER_ADMIN_SSL_ENABLED - either true or false
    • RANGER_ADMIN_TRUSTORE_PASSWORD - If Ranger is TLS/SSL enabled using Cloudera Manager AUTO-TLS, then the password can be found on the Ranger host /etc/hadoop/conf/ssl-client.xml property 'ssl.client.truststore.password'

    EXAMPLE:

    export JAVA_HOME=/usr/java/jdk1.8.0_232-cloudera/

    export RANGER_ADMIN_URL=<ranger admin url with port>

    export RANGER_ADMIN_SSL_ENABLED=<true or false>

    export RANGER_ADMIN_TRUSTORE_PASSWORD=<ssl.client.truststore.password>

  6. For the Kerberos-based authentication, use the following process:
    1. Find the Ranger admin keytab location and provide it in the following command:

      export RANGER_ADMIN_KEYTAB_PATH=/path/to/rangeradmin.keytab

      In the CDEP cluster ranger keytab shall be available in the “/cdep/keytabs/rangeradmin.keytab” or under the ranger admin process directory “/var/run/cloudera-scm-agent/process/<ranger-process-number>-ranger-RANGER_ADMIN” location.

      Steps to find the ranger admin process directory:

      • Execute the below command to get the RANGER_ADMIN process.

      ps -ef | grep proc_rangeradmin

      • Search for -cp option from the above command output and look for "/var/run/cloudera-scm-agent/process/<ID>-ranger-RANGER_ADMIN"

      If your ranger node and migration node are different, copy the ranger keytab to the migration node.

      On the migration node run the following klist command to fetch a list of principals available in

      ${RANGER_ADMIN_KEYTAB_PATH}

      klist -kt ${RANGER_ADMIN_KEYTAB_PATH}

      Run the following kinitcommand using

      ${RANGER_ADMIN_KEYTAB_PATH} with rangeradmin/_HOST@REALM principle.

      Update _HOST and REALM using the following command:

      kinit -kt ${RANGER_ADMIN_KEYTAB_PATH} rangeradmin/_HOST@REALM

  7. Go to location /opt/authz-ingest/config-files and open the file authorization-migration-site.xml
  8. Add below property and provide the path of the sentry permissions.json file which needs to be imported.

    <property>

    <name>authorization.migration.export.output_file</name>

    <value>file:///root/permissions.json</value>

    </property>

  9. Set the following properties to create AWS S3 policy for Hive Warehouse location:

    <property>

    <name>authorization.migration.create.s3.policy</name>

    <value>true</value>

    </property>

    <property>

    <name>authorization.migration.target.s3.bucket.name</name>

    <value>bucket_name</value>

    </property>

  10. Set the following properties which ensures that URI/URL policies are appropriately converted into AWS S3 URL Hive policy:
    <property>

    <name>authorization.migration.translate.url.privileges</name>

    <value>true</value>

    </property>

    <property>

    <name>authorization.migration.migrate.url.privileges</name>

    <value>true</value>

    </property>

    <property>

    <name>authorization.migration.destination.location.prefix</name>

    <value>s3a://mybucket</value>

    </property>

  11. (Optional) Transforming old user name into new user name requires you to set the following properties:

    <property>

    <name>authorization.migration.translate.user</name>

    <value>true</value>

    </property>

    <property>

    <name>authorization.migration.usermap.file.path</name>

    <value>file:///root/UserMapping.json</value>

    </property>

    Use the following information to provide the valid user mapping:

    Format:

    => For the JSON file format we can have multiple users also in the JSON object formatted like :

    {“testuser1”:”testuser1@host.com”, “testuser2”:”testuser2@host.com”}

    => And with the CSV format, it's pipe-delimited with one entry per line.

    testuser1,testuser1@host.com

    testuser2,testuser2@host.com

  12. A flag-based new functionality is added in Authzmigrator, which skips {OWNER} policy while migrating from Sentry to Ranger. You must add the below property in authorization-migration-site.xml to enable this feature.
    By default, this feature is disabled by setting the below value to false.
    <property>
        <name>authorization.migration.skip.owner.policy</name>
        <value>true</value>
     		 </property>
    
  13. Save the file and exit
  14. Run the script:

    cd authz-ingest/scripts

    sh authz-import.sh

    A confirmation message appears.

    "Ingesting Ranger policies finished successfully"

    "Ingesting of permissions to Ranger service is complete"