Importing Sentry privileges into Ranger policies

How to complete the process of translating Sentry privileges into Ranger policies.

No one-to-one mapping between Sentry privileges and Ranger service policies exists. Upgrading your platform involves translating Sentry privileges to their equivalents within Ranger service policies. After upgrading Cloudera Manager and your cluster, this post-upgrade step completes the translation process.

  1. In Ranger > Actions, click Import Sentry Policies.
  2. Read the following points that describe how Sentry privileges appear in Ranger after the migration:
    • Sentry permissions that are granted to roles are granted to groups in Ranger.
    • Sentry permissions that are granted to a parent object are granted to the child object as well. The migration process preserves the permissions that are applied to child objects. For example, a permission that is applied at the database level also applies to the tables within that database.
    • Sentry OWNER privileges are translated to the Ranger OWNER privilege.
    • Sentry OWNER WITH GRANT OPTION privileges are translated to Ranger OWNER with Delegated Admin checked.
    • Sentry does not differentiate between tables and views. When view permissions are migrated, they are treated as table names.
    • Sentry privileges on URIs use the object store location as the base location.
    • If your cluster contains the Kafka service and the Kafka sentry policy had "action": "ALL" permission, the migrated Ranger policy for "cluster" resource will be missing the "alter" permission. This is only applicable for "cluster" resource. You need to add the policy manually after the upgrade. This missing permission does not have any functional impact. Adding the "alter" permission post upgrade is needed only for completeness because the 'configure' permission allow alter operations.
    • Sentry "alter" permission on cluster and topic is translated to "configure" in Ranger.

    The following table shows how actions in Sentry translate to corresponding actions in Ranger:

    Table 1. Sentry Actions to Ranger Actions

    Sentry Action

    Ranger Action

    SELECT

    SELECT

    INSERT

    UPDATE

    CREATE

    CREATE

    REFRESH

    REFRESH

    ALL

    ALL

    SELECT with Grant

    SELECT

    INSERT with Grant

    UPDATE

    CREATE with Grant

    CREATE

    ALL with Grant

    ALL with Delegated Admin Checked

    ALTER CONFIGURE