Transitioning the Sentry service to Apache Ranger

Before transitioning your cluster to CDP Private Cloud Base, you must prepare the Apache Sentry authorization privileges so they can be converted to Apache Ranger permissions. Apache Ranger supports the components like HDFS, Hive, and YARN. Apache Ranger functions as a centralized security administrator and provides greater access controls and auditing capabilities.

Perform the following steps after you have upgraded Cloudera Manager to version 7.1 or higher:

  1. Verify that the HDFS service is in the Start state.

    Starting from Cloudera Manager 7.4.4, the Export Sentry Permissions command is executed as part of the upgrade flow that requires the HDFS service to be in the start state.

    If you are using Cloudera Manager 7.3.1, 7.2.4, or any Cloudera Manager 7.1.x version, go to the Sentry service and select Actions > Export Permissions to export the sentry permissions.

  2. Make sure a MySQL, Oracle, or PostgreSQL database instance is running and available to be used by Ranger before you create a new cluster or upgrade your cluster from CDH to Cloudera Runtime. See the links below for procedures to set up these databases.
  3. After you have set up the database, you can continue upgrading the cluster.
After upgrading Cloudera Manager and the cluster, you must import Sentry privileges using Ranger so that Sentry privileges translate to Ranger service policies. For more information about completing this translation process, see Importing Sentry privileges into Ranger policies.