|
| 1 | +--- |
| 2 | +title: Upgrade to Apache Ranger in Azure HDInsight |
| 3 | +description: Learn how to upgrade to Apache Ranger in Azure HDInsight |
| 4 | +ms.service: azure-hdinsight |
| 5 | +ms.topic: how-to |
| 6 | +ms.date: 09/10/2024 |
| 7 | +--- |
| 8 | + |
| 9 | +# Upgrade to Apache Ranger in Azure HDInsight |
| 10 | + |
| 11 | +HDInsight 5.1 has Apache Ranger version 2.3.0, which is major version upgrade from 1.2.0 HDI 4.1. [Ranger 2.3.0](https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.3.0+-+Release+Notes) has multiple improvements, features, and DB schema changes. |
| 12 | + |
| 13 | +## Behavioral changes |
| 14 | + |
| 15 | +Hive Ranger permissions - In 5.1 stack for hive, default hive ranger policies have been added which allow all users to |
| 16 | + |
| 17 | +* Create a database. |
| 18 | +* Provide all privileges on default database tables and columns. |
| 19 | + |
| 20 | +This is different from 4.0 stack where these default policies aren't present. |
| 21 | + |
| 22 | +This change has been introduced in OSS (open-source software) ranger: [Create Default Policies for Hive Databases - default, Information_schema](https://issues.apache.org/jira/browse/RANGER-2539). |
| 23 | + |
| 24 | +Ranger User Interface in HDInsight 4.0 and earlier versions: |
| 25 | + |
| 26 | +:::image type="content" source="./media/hdinsight-ranger-5-1-migration/ranger-user-interface.png" alt-text="Screenshot showing Ranger User Interface in HDInsight 4.0." border="true" lightbox="./media/hdinsight-ranger-5-1-migration/ranger-user-interface.png"::: |
| 27 | + |
| 28 | +Ranger User Interface in HDInsight 5.1: |
| 29 | + |
| 30 | +:::image type="content" source="./media/hdinsight-ranger-5-1-migration/ranger-user-interface-new.png" alt-text="Screenshot showing Ranger User Interface in HDInsight 5.1." border="true" lightbox="./media/hdinsight-ranger-5-1-migration/ranger-user-interface-new.png"::: |
| 31 | + |
| 32 | +> [!NOTE] |
| 33 | +> The default policy **all databases** have public group access enabled by default from HDInsight 5.1. |
| 34 | +
|
| 35 | +### What does this mean for customers onboarding to 5.1 |
| 36 | + |
| 37 | +They'll start seeing that new users added to the cluster via LDAP sync via AADS or internal users to the cluster have privileges to create a new database and read write privileges on default database tables and columns. |
| 38 | + |
| 39 | +This behavior Is different from 4.0 clusters. Hence if they need to disallow this behavior and have the default permissions same as 4.0, it's required to: |
| 40 | + |
| 41 | +* Disable the **all-databases** policy on ranger UI or edit **all-database** policy to remove **public** group from policy. |
| 42 | +* Remove **public** group from **default database tables columns** policy on ranger UI. |
| 43 | + |
| 44 | + |
| 45 | +Ranger UI is available by clicking on navigating to ranger component and clicking on ranger UI on right side. |
| 46 | + |
| 47 | +### User Interface differences |
| 48 | + |
| 49 | +* Ranger admin URL has new UI and looks & feel. There's option to switch to the classic Ranger 1.2.0 UI as well. |
| 50 | + |
| 51 | +* Root Service of Hive renamed to Hadoop SQL. |
| 52 | + |
| 53 | +* Hive/Hadoop SQL also has new capabilities of adding roles under Ranger. |
| 54 | + |
| 55 | +## Migration method recommendations |
| 56 | + |
| 57 | +As migration path to HDInsight 5.1, the Ranger policies migration between the clusters is recommended only through Ranger import/export options. |
| 58 | + |
| 59 | +> [!NOTE] |
| 60 | +> Reuse of HDInsight 4.1 Ranger database in HDInsight 5.1 Ranger service configurations isn't recommended. Ranger service would fail to restart with following exception due to differences in db schema. |
| 61 | +
|
| 62 | +``` |
| 63 | +2023-11-01 12:47:20,295 [JISQL] /usr/lib/jvm/lib/mssql-jdbc-7.4.1.jre8.jar:/usr/hdp/current/ranger-admin/jisql/lib/\* org.apache.util.sql.Jisql -user ranger -p '\*\*\*\*\*\*\*\*' -driver mssql -cstring jdbc:sqlserver://xxx\;databaseName=ranger -noheader -trim -c \; -query "delete from x\_db\_version\_h where version = '040' and active = 'N' and updated\_by=xxx.com';" |
| 64 | +2023-11-01 12:47:21,095 [E] 040-modify-unique-constraint-on-policy-table.sql import failed! |
| 65 | +``` |
| 66 | + |
| 67 | +## Migration steps |
| 68 | + |
| 69 | +Steps to import/export. |
| 70 | + |
| 71 | +1. Go to the older adults 4.0 clusters ranger page and select on export. |
| 72 | + |
| 73 | +1. Save the file. |
| 74 | + |
| 75 | +1. On new 5.1 cluster, open ranger and import the same file created in step 2. |
| 76 | + |
| 77 | +1. Map the services appropriately and set the override flag. |
0 commit comments