Import policies from Apache Ranger #
Apache Ranger is a tool to manage access control policies for Hadoop/Hive and can be integrated with Starburst Enterprise platform (SEP) as an access control system. The Apache Ranger policy import tool facilitates migration to Starburst Galaxy by importing roles, tags, and policies from Ranger.
Requirements #
The requirements for Apache Ranger policy import are:
-
The policies must be from a Hive or SEP service
-
The Apache Ranger version must be 2.1.0 or newer to import roles and policies, and 2.3.0 or newer to import tags.
Set up an Apache Ranger sync job #
-
From the Partner connect pane, select the Apache Ranger tile from the Authorization category.
-
In the dialog, enter your Ranger URL, port number, username, and password.
-
Select one or more Ranger services that you would like to import policies from. Click + Add service to add another service. Policy import is supported for SEP and Hive services only. All other service types are ignored.
-
Use the Additional settings section to further configure your policy sync.
Note:ALLOWandDENYexceptions are not supported in Galaxy. To drop Ranger policies with exceptions, select Drop policies with ALLOW or DENY exceptions. -
In the Schedule section, you can choose to sync policies once, or on a recurring schedule. Select a timezone from the drop-down menu, then select a frequency or enter a cron expression to set a schedule for the sync to run. For more details and tips on writing cron expressions, see Crontab Guru.
-
Click Test connection to check that Galaxy is able to connect to Apache Ranger.
-
Click Create.
After the sync is completed, click the Apache Ranger tile to display a list of Apache Ranger policies that are not accepted.
Newly imported roles are listed in the
roles
pane with “Role imported from Ranger” as the description. Roles in Ranger are
imported as roles with the same name, users are imported as roles that are
prefixed with user_, and groups are imported as roles that are prefixed with
group_.
Click on any of these roles and navigate to the Policies tab to view imported policies.
Resource mapping #
Refer to the following sections for resource mapping between Ranger and SEP and Ranger and Hive:
Starburst Enterprise #
| Ranger resource type | Galaxy entity |
|---|---|
| Catalog | Catalog |
| Schema | Schema |
| Table | Table |
| Column | Column |
Policies with any other resource types are not imported. If a catalog listed in the Ranger policy does not exist in Galaxy, that catalog is ignored but the rest of the policy is still imported.
Hive #
| Ranger resource type | Galaxy entity |
|---|---|
| Database | Schema |
| Table | Table |
| Column | Column |
Hive policy resources are imported under a catalog in Galaxy that matches the name of the service. If no such catalog exists, then the policy is not imported.
The global resource type is ignored. Policies with any other resource types
are not imported.
Limitations #
Apache Ranger has several features that are not compatible with Galaxy:
-
Security zones: Policies using security zones are not imported.
-
ALLOW/DENY exceptions: Galaxy does not support exceptions to privileges.
-
Variables and macros: Policies using variables and macros are not imported.
-
Override priority: Policies with override priority are not imported.
-
Validity schedules: Policies with validity schedules are not imported.
-
Column wildcards: Policies with wildcards in column names are not imported. Wildcards in other resource names are imported.
-
Conditions: Policies with conditions are not imported.
-
Custom data masks: Policies using custom data masks are not imported.
-
Tag attributes: Tag attributes are ignored.
Is the information on this page helpful?
Yes
No