Ranger replication policies
You can create Ranger replication policies in Cloudera Private Cloud Base Replication Manager. The Ranger replication policies migrate the Ranger policies and roles for HDFS, Hive, and HBase services between Kerberos-enabled Cloudera Private Cloud Base 7.1.9 or higher clusters using Cloudera Manager 7.11.3. It can also migrate Ranger audit logs in HDFS.
Apache Ranger manages access control through a user interface that ensures consistent policy administration across Cloudera Data Platform (CDP) components. Security administrators can define security policies at the database, table, column, and file levels, and can administer permissions for specific LDAP-based groups or individual users.
The Ranger replication policy can replicate the following:
- Ranger policies and roles
- The Ranger policies that can be replicated include Ranger tag-based policies and Ranger resource-based policies. The replication policy always performs a complete export and import of Ranger policies.
- Ranger audit logs in HDFS
- Ranger audit logs can be replicated using superuser credentials. You must ensure that the Ranger audit log directory on the source cluster is snapshot-enabled. Replication Manager uses DistCp jobs to replicate Ranger HDFS audit log directories. Therefore, the first Ranger replication policy run to replicate the Ranger audit log directory is a bootstrap job and the subsequent runs are incremental.
You can choose to replicate only the Ranger policies and roles, or only the Ranger audit logs in HDFS during the Ranger replication policy creation process. The Ranger replication policy replicates from only one Ranger source service on the source cluster to only one Ranger destination service on the target cluster.
Some use cases where you can use Ranger replication policies are:
- when Ranger is used for file system-level access control for HDFS and Hive and you want to copy the Ranger policies to another cluster for backup purposes.
- when you want to move/replicate Ranger policies for Hive (SQL) or HBase data to another cluster for disaster recovery purposes.