Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Is there a way to export ranger policies from cluster1 and import into cluster?

Solved Go to solution
Highlighted

Is there a way to export ranger policies from cluster1 and import into cluster?

 
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Is there a way to export ranger policies from cluster1 and import into cluster?

@Neeraj Sabharwal Yes, but I am afraid not without a little bit of additional work. Maybe copying the database and adjusting some values like repo id, ranger address, etc. is an alternative to look into (not recommended though!). Here is the API-way :)

You can access all policies of a repository (e.g. hdfs/hadoop) by using:

http://<ranger_address>:6080/service/plugins/policies/download/<clustername>_hadoop

For example:

curl -ivk -H "Content-type:application/json" -u <user>:<password> http://<ranger_address>:6080/service/plugins/policies/download/bigdata_hadoop

This will return:

{
   "serviceName":"bigdata_hadoop",
   "serviceId":1,
   "policyVersion":23,
   "policyUpdateTime":1450245444000,
   "policies":[
      {
         "id":2,
         "guid":"1448089401967_197_71",
         "isEnabled":true,
         "createdBy":"Admin",
         "updatedBy":"Admin",
         "createTime":1448118201000,
         "updateTime":1449582864000,
         "version":5,
         "service":"bigdata_hadoop",
         "name":"Ranger_audits",
         "description":"",
         "resourceSignature":"6dbd7c49e533baa8082b48895acabf20",
         "isAuditEnabled":false,
         "resources":{
            "path":{
               "isRecursive":true,
               "values":[
                  "/apps/solr/ranger_audits"
               ],
               "isExcludes":false
            }
         },
         "policyItems":[
            {
               "users":[
                  "solr"
               ],
               "groups":[


               ],
               "delegateAdmin":false,
               "accesses":[
                  {
                     "isAllowed":true,
                     "type":"read"
                  },
                  {
                     "isAllowed":true,
                     "type":"write"
                  },
                  {
                     "isAllowed":true,
                     "type":"execute"
                  }
               ],
               "conditions":[


               ]
            }
         ]
      },
      {
         ...
	 ...
      }
      ...
   ],
   ...
   ...
   ...
}

After downloading all policies of a repo you can use the Rest calls I mentioned here => https://community.hortonworks.com/questions/10826/rest-api-url-to-configure-ranger-objects.html to recreate the policies in your other cluster.

Note: Make sure the users from Cluster1 are available in Cluster2 as well, otherwise Ranger will throw an exception when you create a policy for a user that doesn't exist.

Thats it :)

View solution in original post

6 REPLIES 6
Highlighted

Re: Is there a way to export ranger policies from cluster1 and import into cluster?

@Neeraj Sabharwal Yes, but I am afraid not without a little bit of additional work. Maybe copying the database and adjusting some values like repo id, ranger address, etc. is an alternative to look into (not recommended though!). Here is the API-way :)

You can access all policies of a repository (e.g. hdfs/hadoop) by using:

http://<ranger_address>:6080/service/plugins/policies/download/<clustername>_hadoop

For example:

curl -ivk -H "Content-type:application/json" -u <user>:<password> http://<ranger_address>:6080/service/plugins/policies/download/bigdata_hadoop

This will return:

{
   "serviceName":"bigdata_hadoop",
   "serviceId":1,
   "policyVersion":23,
   "policyUpdateTime":1450245444000,
   "policies":[
      {
         "id":2,
         "guid":"1448089401967_197_71",
         "isEnabled":true,
         "createdBy":"Admin",
         "updatedBy":"Admin",
         "createTime":1448118201000,
         "updateTime":1449582864000,
         "version":5,
         "service":"bigdata_hadoop",
         "name":"Ranger_audits",
         "description":"",
         "resourceSignature":"6dbd7c49e533baa8082b48895acabf20",
         "isAuditEnabled":false,
         "resources":{
            "path":{
               "isRecursive":true,
               "values":[
                  "/apps/solr/ranger_audits"
               ],
               "isExcludes":false
            }
         },
         "policyItems":[
            {
               "users":[
                  "solr"
               ],
               "groups":[


               ],
               "delegateAdmin":false,
               "accesses":[
                  {
                     "isAllowed":true,
                     "type":"read"
                  },
                  {
                     "isAllowed":true,
                     "type":"write"
                  },
                  {
                     "isAllowed":true,
                     "type":"execute"
                  }
               ],
               "conditions":[


               ]
            }
         ]
      },
      {
         ...
	 ...
      }
      ...
   ],
   ...
   ...
   ...
}

After downloading all policies of a repo you can use the Rest calls I mentioned here => https://community.hortonworks.com/questions/10826/rest-api-url-to-configure-ranger-objects.html to recreate the policies in your other cluster.

Note: Make sure the users from Cluster1 are available in Cluster2 as well, otherwise Ranger will throw an exception when you create a policy for a user that doesn't exist.

Thats it :)

View solution in original post

Highlighted

Re: Is there a way to export ranger policies from cluster1 and import into cluster?

@Jonas Straub Very nice! Thank you for sharing this. :)

Highlighted

Re: Is there a way to export ranger policies from cluster1 and import into cluster?

Expert Contributor

@Jonas Straub, @Neeraj Sabharwal, @Sagar Shimpi : Guys, using this I could export the entire policy repository using :

<Ranger_Host:IP>/service/public/api/policy 

and also using

http://<ranger_address>:6080/service/plugins/policies/download/<clustername>_hadoop

I went through the link shared which talks about exporting policies one by one. Is there a way to export entire repository instead of exporting policies one after another?

Highlighted

Re: Is there a way to export ranger policies from cluster1 and import into cluster?

Mentor

Our latest tutorial on ranger walls you through importing a policy with rest @Neeraj Sabharwal

Re: Is there a way to export ranger policies from cluster1 and import into cluster?

Contributor

I have used above API calls and executed on my cluster it worked below is the procedure I have followed for one hdfs service and one policy.

Objective:

Export ranger policies from cluster1 to cluster2

variables: <clustername>=DEVLHDP <policy_name>=<clustername>_hadoop-1-20160615193010

To download all policies from cluster1

http://ranger1:6080/service/plugins/policies/download/<clustername>_hadoop

get service from cluster1 ranger1

curl -iv -u admin:xxxx -H "Content-type:application/json" -X GET http://ranger1:6080/service/public/v2/api/service/name/<clustername>_hadoop

copy the json output to ranger-service.json

create service in new cluster2 ranger2

curl -iv -u admin:xxxxx -d @ranger-service.json -H "Content-Type: application/json" -X POST http://ranger2:6080/service/public/v2/api/service

Getting a sample policy from cluster1 ranger1

curl -iv -u admin:xxxxx -H "Content-type:application/json" -X GET http://ranger1:6080/service/public/v2/api/service/<clustername>_hadoop/policy/<clustername>_hadoop-1...

copy the json output to ranger_policy.json

create policy in new cluster2 ranger2

curl -iv -u admin:xxxxx -d @ranger_policy.json -H "Content-Type: application/json" -X POST http://ranger2:6080/service/public/v2/api/policy

Tested in HDP 2.4.2 which has Apache Ranger 0.5.2

Ref:

https://issues.apache.org/jira/browse/RANGER-1214

If this helped, pls vote/accept answer.

Highlighted

Re: Is there a way to export ranger policies from cluster1 and import into cluster?

Contributor
Don't have an account?
Coming from Hortonworks? Activate your account here