Sentry to Ranger Permissions

Because there is not a one-to-one mapping between Sentry privileges and Ranger service policies, the Sentry privileges are translated into their equivalents within Ranger service policies.

Read through the following points to see how Sentry privileges will appear in Ranger after the migration:

  • Sentry permissions that are granted to roles will be granted to groups in Ranger.
  • Sentry permissions that are granted to a parent object are granted to the child object as well. The migration process preserves the permissions that are applied to child objects. For example, a permission that is applied at the database level will also apply to the tables within that database.
  • Sentry OWNER privileges are translated to the Ranger ALL privilege.
  • Sentry OWNER WITH GRANT OPTION privileges are translated to Ranger ALL with Delegated Admin checked.
  • Sentry does not differentiate between tables and views. When view permissions are migrated, they are treated as table names.
  • Sentry privileges on URIs will use the object store location as the base location.

The table below shows how actions in Sentry will be applied to the corresponding action in Ranger:

Table 1. Sentry Actions to Ranger Actions

Sentry Action

Ranger Action

SELECT

SELECT

INSERT

UPDATE

CREATE

CREATE

REFRESH

REFRESH

ALL

ALL

SELECT with Grant

INSERT

INSERT with Grant

INSERT

CREATE with Grant

CREATE

ALL with Grant

ALL with Delegated Admin Checked