Sentry to Ranger replication

During Hive replication, the Replication Manager migrates Sentry authorization policies into Ranger as part of the replication policy.

The Sentry service serves authorization metadata from the database-backed storage but does not handle actual privilege validation. The Hive and Impala services are clients of this service and it enforces Sentry privileges when the services are configured to use Sentry. Replication Manager allows administrators to migrate the existing Sentry permissions from the source CDH cluster to the Ranger policies in CDP Public Cloud.

When you create a replication policy, you can choose to migrate the Sentry policies for the resources that you want to migrate. When you run the policy, the resources and its Sentry policies are migrated to the destination cluster. To migrate the Sentry policies for the resources, select the Include Sentry Permissions with Metadata option in the Additional Settings page of the Create Replication Policy wizard.

The Sentry Permissions section of the Create Replication Policy wizard has the following options:

  • Include Sentry Permissions with Metadata - Select this option to migrate Sentry permissions during the replication job.
  • Exclude Sentry Permissions with Metadata - Select this option if you do not want to migrate Sentry permissions during the replication job.
  • Skip URI Privileges - Select this option if you do not want to include URI privileges when you migrate Sentry permissions. During migration, the URI privileges are translated to point to an equivalent location in S3. If the resources have a different location in Amazon S3, do not migrate the URI privileges because the URI privileges might not be valid.

The following image shows the Sentry Permissions section in the Create Replication Policy wizard:

The migration of Sentry policies into Ranger is performed in the following operations:

  • Export - The export operation runs in the source cluster. During this operation, the Sentry permissions are fetched and exported to a JSON file. This file might be in a local file system or HDFS or S3, based on the configuration.
  • Translate and Ingest - These operations take place on the target cluster. During the translate operation, the Sentry permissions are translated to a format that can be read by Ranger. The permissions are then imported into Ranger. When the permissions are imported, they are tagged with the source cluster name and the time that the ingest took place. After the import, the file containing the permissions is deleted.

When a Ranger policy is created for a resource, such as a database, table, or column, the policy name is derived from the resource name. For example, if the resource is Database:dinosaurs, table= theropods, then the derived policy name is database=dinosarus->table=theropods.

The priority for migrated policies is set to normal in Ranger. The normal priority allows you to create another policy for the same resource that overrides the policy that is imported from Sentry.