Customizing the authorization-migration-site.xml file
You can customize the default behavior of the Sentry to Ranger policy migration, using a safety valve in Cloudera Manager.
authorization.migration.export.output_file = hdfs:///user/sentry/export-permissions/permissions.json authorization.migration.ingest.is_dry_run = false authorization.migration.role.permissions = true authorization.migration.translate.url.privileges = false authorization.migration.ingest.merge.ifexists = true authorization.migration.export.target_services = HIVE,KAFKA authorization.migration.migrate.url.privileges = true authorization.migration.export.migration_objects = "" authorization.migration.object.filter = ""
You can customize these configurations, using the Ranger Admin Advanced Configuration Snippet (Safety Valve) for conf/authorization-migration-site.xml "safety valve" in Cloudera Manager.
For example, setting the values of the following properties is required to update the location prefix in all URI privileges during the import:
authorization.migration.translate.url.privileges = true authorization.migration.destination.location.prefix = hdfs://<new_cdp_nameservice>
To customize properties:
- In type authorization-migration-site.xml, then click Search.
- In Ranger-1 > Ranger Admin Default Group, click +(Add).
- In Name, type a property name, such as authorization.migration.translate.url.privileges.
- In Value, type a property value, such as true.
- Click Save Changes.
- Repeat steps 2-5 for each property that you want to customize.
Currently, while running the Importing Sentry privileges into Ranger policies step to import the old Sentry grants to Ranger, with the following configurations in the Ranger Admin Advanced Configuration Snippet (Safety Valve) for conf/authorization-migration-site.xml:
authorization.migration.translate.url.privileges=true
and
authorization.migration.destination.location.prefix=[hdfs://ns1]
The file:// Sentry URI grants are created as hdfs:// URL policies in Ranger.
For example:
file:///opt/cgfiles/common/jdbc/my_udf-0.2.2.jar
becomes
[hdfs://ns1/opt/cgfiles/common/jdbc/my_udf-0.2.2.jar]
By using the authorization.migration.url.ignore.scheme configuration you can add multiple, comma-separated file system prefixes. The values provided in config will not update to prefix provided in property authorization.migration.destination.location.prefix while importing Sentry privileges into Ranger policies.
In case, if authorization.migration.translate.url.privileges=true
and
authorization.migration.destination.location.prefix=[hdfs://ns1] are already set and if we set authorization.migration.url.ignore.scheme = file, then any url policy with file prefix would not be replaced by hdfs://ns1 during import.
For example:
file:///opt/cgfiles/common/jdbc/my_udf-0.2.2.jar
remains
file:///opt/cgfiles/common/jdbc/my_udf-0.2.2.jar
Currently during AuthzMigrator Export, all Sentry data (Dbs/Tbls/Urls) are exported from sentry to permission.json.
There is an option to export Sentry data only for given Hive objects (databases and tables and the respective URLs).
You can use the authorization.migration.export.migration_objects configuration property in authorization-migration-site.xml to provide Hive object details at the time of Sentry export.
While providing configuration value, use the following format:
- single database →db={db_name} eg. db=dio_work
- single table →db=dio_work/tbl=ur_cdp_upgrade_ext (database and table should be separated by /)
- multiple databases →db=dio_work/tbl=.*,db=dio_work_2/tbl=.* (databases should be comma separated)
- multiple tables →db=dio_work/tbl=ur_cdp_upgrade_ext,db=dio_work/tbl=ur_cdp_upgrade_mngd
- all tables of database →db=dio_work/tbl=.*
- all databases and all tables →db=.*/tbl=.*
For example:
authorization.migration.export.migration_objects = db=dio_work/tbl=ur_cdp_upgrade_ext,db=dio_work/tbl=ur_cdp_upgrade_mngd
