Skip to content

Commit b7f30c1

Browse files
authored
Merge pull request #285588 from sreekzz/raanger-doc
New page Ranger 5.1 Migration
2 parents a539141 + a63d546 commit b7f30c1

File tree

4 files changed

+80
-1
lines changed

4 files changed

+80
-1
lines changed

articles/hdinsight/TOC.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -170,7 +170,9 @@ items:
170170
- name: Migrate to granular role-based access for cluster configurations
171171
href: ./hdinsight-migrate-granular-access-cluster-configurations.md
172172
- name: Ambari user configs migration
173-
href: ./migrate-ambari-recent-version-hdinsight.md
173+
href: ./migrate-ambari-recent-version-hdinsight.md
174+
- name: Upgrade to Apache Ranger in Azure HDInsight
175+
href: ./hdinsight-ranger-5-1-migration.md
174176
- name: Hadoop
175177
items:
176178
- name: Motivation and benefits
Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
---
2+
title: Upgrade to Apache Ranger in Azure HDInsight
3+
description: Learn how to upgrade to Apache Ranger in Azure HDInsight
4+
ms.service: azure-hdinsight
5+
ms.topic: how-to
6+
ms.date: 09/10/2024
7+
---
8+
9+
# Upgrade to Apache Ranger in Azure HDInsight
10+
11+
HDInsight 5.1 has Apache Ranger version 2.3.0, which is major version upgrade from 1.2.0 HDI 4.1. [Ranger 2.3.0](https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.3.0+-+Release+Notes) has multiple improvements, features, and DB schema changes.
12+
13+
## Behavioral changes
14+
15+
Hive Ranger permissions - In 5.1 stack for hive, default hive ranger policies have been added which allow all users to
16+
17+
* Create a database.
18+
* Provide all privileges on default database tables and columns.  
19+
20+
This is different from 4.0 stack where these default policies aren't present.
21+
 
22+
This change has been introduced in OSS (open-source software) ranger: [Create Default Policies for Hive Databases - default, Information_schema](https://issues.apache.org/jira/browse/RANGER-2539).
23+
24+
Ranger User Interface in HDInsight 4.0 and earlier versions:
25+
26+
:::image type="content" source="./media/hdinsight-ranger-5-1-migration/ranger-user-interface.png" alt-text="Screenshot showing Ranger User Interface in HDInsight 4.0." border="true" lightbox="./media/hdinsight-ranger-5-1-migration/ranger-user-interface.png":::
27+
28+
Ranger User Interface in HDInsight 5.1:
29+
30+
:::image type="content" source="./media/hdinsight-ranger-5-1-migration/ranger-user-interface-new.png" alt-text="Screenshot showing Ranger User Interface in HDInsight 5.1." border="true" lightbox="./media/hdinsight-ranger-5-1-migration/ranger-user-interface-new.png":::
31+
32+
> [!NOTE]
33+
> The default policy **all databases** have public group access enabled by default from HDInsight 5.1.
34+
35+
### What does this mean for customers onboarding to 5.1
36+
37+
They'll start seeing that new users added to the cluster via LDAP sync via AADS or internal users to the cluster have privileges to create a new database and read write privileges on default database tables and columns.  
38+
39+
This behavior Is different from 4.0 clusters. Hence if they need to disallow this behavior and have the default permissions same as 4.0, it's required to:
40+
41+
* Disable the **all-databases** policy on ranger UI or edit **all-database** policy to remove **public** group from policy.
42+
* Remove **public** group from **default database tables columns** policy on ranger UI.  
43+
44+
45+
Ranger UI is available by clicking on navigating to ranger component and clicking on ranger UI on right side.
46+
47+
### User Interface differences
48+
49+
* Ranger admin URL has new UI and looks & feel. There's option to switch to the classic Ranger 1.2.0 UI as well.
50+
51+
* Root Service of Hive renamed to Hadoop SQL.
52+
53+
* Hive/Hadoop SQL also has new capabilities of adding roles under Ranger.
54+
55+
## Migration method recommendations
56+
57+
As migration path to HDInsight 5.1, the Ranger policies migration between the clusters is recommended only through Ranger import/export options.
58+
59+
> [!NOTE]
60+
> Reuse of HDInsight 4.1 Ranger database in HDInsight 5.1 Ranger service configurations isn't recommended. Ranger service would fail to restart with following exception due to differences in db schema.
61+
62+
```
63+
2023-11-01 12:47:20,295 [JISQL] /usr/lib/jvm/lib/mssql-jdbc-7.4.1.jre8.jar:/usr/hdp/current/ranger-admin/jisql/lib/\* org.apache.util.sql.Jisql -user ranger -p '\*\*\*\*\*\*\*\*' -driver mssql -cstring jdbc:sqlserver://xxx\;databaseName=ranger -noheader -trim -c \; -query "delete from x\_db\_version\_h where version = '040' and active = 'N' and updated\_by=xxx.com';"
64+
2023-11-01 12:47:21,095 [E] 040-modify-unique-constraint-on-policy-table.sql import failed!
65+
```
66+
67+
## Migration steps
68+
69+
Steps to import/export.
70+
71+
1. Go to the older adults 4.0 clusters ranger page and select on export.
72+
73+
1. Save the file.
74+
75+
1. On new 5.1 cluster, open ranger and import the same file created in step 2.
76+
77+
1. Map the services appropriately and set the override flag.
197 KB
Loading
183 KB
Loading

0 commit comments

Comments
 (0)