Customizing the authorization-migration-site.xml file

You can customize the default behavior of the Sentry to Ranger policy migration, using a safety valve in Cloudera Manager.

Ranger configurations expose a safety-valve for authorization-migration-site.xml to allow users to customize properties that control migration of policies from Sentry to Ranger. Ranger embeds a default set of configurations in authorization-migration-site.xml, for example,
authorization.migration.export.output_file = hdfs:///user/sentry/export-permissions/permissions.json
authorization.migration.ingest.is_dry_run = false
authorization.migration.role.permissions = true
authorization.migration.translate.url.privileges = false
authorization.migration.ingest.merge.ifexists = true
authorization.migration.export.target_services = HIVE,KAFKA
authorization.migration.migrate.url.privileges = true
authorization.migration.export.migration_objects = ""
authorization.migration.object.filter = ""

You can customize these configurations, using the Ranger Admin Advanced Configuration Snippet (Safety Valve) for conf/authorization-migration-site.xml "safety valve" in Cloudera Manager.

For example, setting the values of the following properties is required to update the location prefix in all URI privileges during the import:

authorization.migration.translate.url.privileges = true
authorization.migration.destination.location.prefix = hdfs://<new_cdp_nameservice>

To customize properties:

  1. In Cloudera Manager > Configuration > Search type authorization-migration-site.xml, then click Search.
  2. In Ranger-1 > Ranger Admin Default Group, click +(Add).
  3. In Name, type a property name, such as authorization.migration.translate.url.privileges.
  4. In Value, type a property value, such as true.
  5. Click Save Changes.
  6. Repeat steps 2-5 for each property that you want to customize.
Each property/value pair that you save adds a property or overwrites the default value assigned to that property in the authorization-migration-site.xml file.

Currently, while running the Importing Sentry privileges into Ranger policies step to import the old Sentry grants to Ranger, with the following configurations in the Ranger Admin Advanced Configuration Snippet (Safety Valve) for conf/authorization-migration-site.xml:

authorization.migration.translate.url.privileges=true

and

authorization.migration.destination.location.prefix=[hdfs://ns1]

The file:// Sentry URI grants are created as hdfs:// URL policies in Ranger.

For example:

file:///opt/cgfiles/common/jdbc/my_udf-0.2.2.jar

becomes

[hdfs://ns1/opt/cgfiles/common/jdbc/my_udf-0.2.2.jar]

By using the authorization.migration.url.ignore.scheme configuration you can add multiple, comma-separated file system prefixes. The values provided in config will not update to prefix provided in property authorization.migration.destination.location.prefix while importing Sentry privileges into Ranger policies.

In case, if authorization.migration.translate.url.privileges=true

and

authorization.migration.destination.location.prefix=[hdfs://ns1] are already set and if we set authorization.migration.url.ignore.scheme = file, then any url policy with file prefix would not be replaced by hdfs://ns1 during import.

For example:

file:///opt/cgfiles/common/jdbc/my_udf-0.2.2.jar

remains

file:///opt/cgfiles/common/jdbc/my_udf-0.2.2.jar

Currently during AuthzMigrator Export, all Sentry data (Dbs/Tbls/Urls) are exported from sentry to permission.json.

There is an option to export Sentry data only for given Hive objects (databases and tables and the respective URLs).

You can use the authorization.migration.export.migration_objects configuration property in authorization-migration-site.xml to provide Hive object details at the time of Sentry export.

While providing configuration value, use the following format:

  • single database →db={db_name} eg. db=dio_work
  • single table →db=dio_work/tbl=ur_cdp_upgrade_ext (database and table should be separated by /)
  • multiple databases →db=dio_work/tbl=.*,db=dio_work_2/tbl=.* (databases should be comma separated)
  • multiple tables →db=dio_work/tbl=ur_cdp_upgrade_ext,db=dio_work/tbl=ur_cdp_upgrade_mngd
  • all tables of database →db=dio_work/tbl=.*
  • all databases and all tables →db=.*/tbl=.*

For example:

authorization.migration.export.migration_objects = db=dio_work/tbl=ur_cdp_upgrade_ext,db=dio_work/tbl=ur_cdp_upgrade_mngd