Migrating to Starburst Enterprise 462-e or later#
Starburst Enterprise Platform (SEP) 462-e includes changes to configurations for the Apache Ranger integration.
As of 462-e, Hive Ranger connector-level access control is deprecated and replaced with Hive Ranger system-level access control. If you use Apache Ranger with SEP to control access to a Hive or Delta Lake catalog, follow this guide to migrate to 462-e or later.
Before beginning this migration, consider the following limitations:
hive-based-ranger
does not support policy management with SQL.Column masks for partitioning columns are not supported. No error message is shown by
hive-based-ranger
when a query tries to select a masked column which is a partitioning column.
Contact Starburst Support if you need additional help with these limitations.
Complete Ranger migration#
To migrate an Apache Ranger integration to SEP version 462-e and later:
Create a new
access-control.properties
file with the following example properties, specifying catalogs that were using Ranger access control:access-control.name=hive-based-ranger ranger.hive-based.catalogs=hive-catalog,delta-lake-catalog ranger.hive-based.fallback-access-control=ALLOW_ALL
Note
If you already have an
access-control.properties
file, you can useaccess-control.config-files
to specify multiple system access control systems. It should contain a comma-separated list of the access control property files to use.Move all Ranger-related properties from the
hive.properties
file to theaccess-control.properties
file:An example
hive.properties
file before the migration:connector.name=hive hive.metastore.uri=thrift://hive-metastore-node:9083 hive.metastore.authentication.type=KERBEROS hive.metastore.service.principal=hive/hive-metastore-node@EXAMPLE.COM hive.metastore.client.principal=hive/sep-server-node@EXAMPLE.COM hive.metastore.client.keytab=/etc/hive/conf/hive.keytab hive.hdfs.authentication.type=KERBEROS hive.hdfs.impersonation.enabled=false hive.hdfs.trino.principal=hdfs/sep-server-node@EXAMPLE.COM hive.hdfs.trino.keytab=/etc/hadoop/conf/hdfs.keytab hive.security=ranger ranger.policy-rest-url=https://ranger-host:6182 ranger.service-name=hive ranger.authentication-type=KERBEROS ranger.kerberos-principal=sep-server/sep-server-node@EXAMPLE.COM ranger.kerberos-keytab=/etc/sep/conf/sep-server.keytab ranger.plugin-policy-ssl-config-file=/etc/hive/conf/ranger-policymgr-ssl.xml
An example
hive.properties
file after the migration:connector.name=hive hive.metastore.uri=thrift://hive-metastore-node:9083 hive.metastore.authentication.type=KERBEROS hive.metastore.service.principal=hive/hive-metastore-node@EXAMPLE.COM hive.metastore.client.principal=hive/sep-server-node@EXAMPLE.COM hive.metastore.client.keytab=/etc/hive/conf/hive.keytab hive.hdfs.authentication.type=KERBEROS hive.hdfs.impersonation.enabled=false hive.hdfs.trino.principal=hdfs/sep-server-node@EXAMPLE.COM hive.hdfs.trino.keytab=/etc/hadoop/conf/hdfs.keytab
An example
access-control.properties
file after the migration:access-control.name=hive-based-ranger ranger.hive-based.catalogs=hive-catalog ranger.hive-based.fallback-access-control=ALLOW_ALL ranger.policy-rest-url=https://ranger-host:6182 ranger.service-name=hive ranger.authentication-type=KERBEROS ranger.kerberos-principal=sep-server/sep-server-node@EXAMPLE.COM ranger.kerberos-keytab=/etc/sep/conf/sep-server.keytab ranger.plugin-policy-ssl-config-file=/etc/hive/conf/ranger-policymgr-ssl.xml
Verify you are not using the deprecated
ranger-system-access-control
value or the legacy valuelegacy-ranger-system-access-control
for theaccess-control.name
configuration property. If you are, then remove the entire file and add the following property to the newaccess-control.properties
file created in step 1:access-control.name=hive-based-ranger
See the Hive Ranger documentation for more details about Hive, Delta Lake, and Iceberg access control with Apache Ranger.
There are no required changes related to Ranger policies. Global Ranger is unaffected. Contact Starburst Support in the event of any issues.