Migrating to Starburst Enterprise 462-e or later#

Starburst Enterprise Platform (SEP) 462-e includes changes to configurations for the Apache Ranger integration.

As of 462-e, Hive Ranger connector-level access control is deprecated and replaced with Hive Ranger system-level access control. If you use Apache Ranger with SEP to control access to a Hive or Delta Lake catalog, follow this guide to migrate to 462-e or later.

Before beginning this migration, consider the following limitations:

  • hive-based-ranger does not support policy management with SQL.

  • Column masks for partitioning columns are not supported. No error message is shown by hive-based-ranger when a query tries to select a masked column which is a partitioning column.

Contact Starburst Support if you need additional help with these limitations.

Complete Ranger migration#

To migrate an Apache Ranger integration to SEP version 462-e and later:

  1. Create a new access-control.properties file with the following example properties, specifying catalogs that were using Ranger access control:

    access-control.name=hive-based-ranger
    ranger.hive-based.catalogs=hive-catalog,delta-lake-catalog
    ranger.hive-based.fallback-access-control=ALLOW_ALL
    

    Note

    If you already have an access-control.properties file, you can use access-control.config-files to specify multiple system access control systems. It should contain a comma-separated list of the access control property files to use.

  2. Move all Ranger-related properties from the hive.properties file to the access-control.properties file:

    An example hive.properties file before the migration:

    connector.name=hive
    hive.metastore.uri=thrift://hive-metastore-node:9083
    
    hive.metastore.authentication.type=KERBEROS
    hive.metastore.service.principal=hive/hive-metastore-node@EXAMPLE.COM
    hive.metastore.client.principal=hive/sep-server-node@EXAMPLE.COM
    hive.metastore.client.keytab=/etc/hive/conf/hive.keytab
    
    hive.hdfs.authentication.type=KERBEROS
    hive.hdfs.impersonation.enabled=false
    hive.hdfs.trino.principal=hdfs/sep-server-node@EXAMPLE.COM
    hive.hdfs.trino.keytab=/etc/hadoop/conf/hdfs.keytab
    
    hive.security=ranger
    
    ranger.policy-rest-url=https://ranger-host:6182
    ranger.service-name=hive
    
    ranger.authentication-type=KERBEROS
    ranger.kerberos-principal=sep-server/sep-server-node@EXAMPLE.COM
    ranger.kerberos-keytab=/etc/sep/conf/sep-server.keytab
    ranger.plugin-policy-ssl-config-file=/etc/hive/conf/ranger-policymgr-ssl.xml
    

    An example hive.properties file after the migration:

    connector.name=hive
    hive.metastore.uri=thrift://hive-metastore-node:9083
    
    hive.metastore.authentication.type=KERBEROS
    hive.metastore.service.principal=hive/hive-metastore-node@EXAMPLE.COM
    hive.metastore.client.principal=hive/sep-server-node@EXAMPLE.COM
    hive.metastore.client.keytab=/etc/hive/conf/hive.keytab
    
    hive.hdfs.authentication.type=KERBEROS
    hive.hdfs.impersonation.enabled=false
    hive.hdfs.trino.principal=hdfs/sep-server-node@EXAMPLE.COM
    hive.hdfs.trino.keytab=/etc/hadoop/conf/hdfs.keytab
    

    An example access-control.properties file after the migration:

    access-control.name=hive-based-ranger
    ranger.hive-based.catalogs=hive-catalog
    ranger.hive-based.fallback-access-control=ALLOW_ALL
    
    ranger.policy-rest-url=https://ranger-host:6182
    ranger.service-name=hive
    
    ranger.authentication-type=KERBEROS
    ranger.kerberos-principal=sep-server/sep-server-node@EXAMPLE.COM
    ranger.kerberos-keytab=/etc/sep/conf/sep-server.keytab
    ranger.plugin-policy-ssl-config-file=/etc/hive/conf/ranger-policymgr-ssl.xml
    
  3. Verify you are not using the deprecated ranger-system-access-control value or the legacy value legacy-ranger-system-access-control for the access-control.name configuration property. If you are, then remove the entire file and add the following property to the new access-control.properties file created in step 1:

    access-control.name=hive-based-ranger
    

See the Hive Ranger documentation for more details about Hive, Delta Lake, and Iceberg access control with Apache Ranger.

There are no required changes related to Ranger policies. Global Ranger is unaffected. Contact Starburst Support in the event of any issues.