Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Is there a way to export ranger policies from cluster1 and import into cluster?

avatar
Master Mentor
 
1 ACCEPTED SOLUTION

avatar

@Neeraj Sabharwal Yes, but I am afraid not without a little bit of additional work. Maybe copying the database and adjusting some values like repo id, ranger address, etc. is an alternative to look into (not recommended though!). Here is the API-way 🙂

You can access all policies of a repository (e.g. hdfs/hadoop) by using:

http://<ranger_address>:6080/service/plugins/policies/download/<clustername>_hadoop

For example:

curl -ivk -H "Content-type:application/json" -u <user>:<password> http://<ranger_address>:6080/service/plugins/policies/download/bigdata_hadoop

This will return:

{
   "serviceName":"bigdata_hadoop",
   "serviceId":1,
   "policyVersion":23,
   "policyUpdateTime":1450245444000,
   "policies":[
      {
         "id":2,
         "guid":"1448089401967_197_71",
         "isEnabled":true,
         "createdBy":"Admin",
         "updatedBy":"Admin",
         "createTime":1448118201000,
         "updateTime":1449582864000,
         "version":5,
         "service":"bigdata_hadoop",
         "name":"Ranger_audits",
         "description":"",
         "resourceSignature":"6dbd7c49e533baa8082b48895acabf20",
         "isAuditEnabled":false,
         "resources":{
            "path":{
               "isRecursive":true,
               "values":[
                  "/apps/solr/ranger_audits"
               ],
               "isExcludes":false
            }
         },
         "policyItems":[
            {
               "users":[
                  "solr"
               ],
               "groups":[


               ],
               "delegateAdmin":false,
               "accesses":[
                  {
                     "isAllowed":true,
                     "type":"read"
                  },
                  {
                     "isAllowed":true,
                     "type":"write"
                  },
                  {
                     "isAllowed":true,
                     "type":"execute"
                  }
               ],
               "conditions":[


               ]
            }
         ]
      },
      {
         ...
	 ...
      }
      ...
   ],
   ...
   ...
   ...
}

After downloading all policies of a repo you can use the Rest calls I mentioned here => https://community.hortonworks.com/questions/10826/rest-api-url-to-configure-ranger-objects.html to recreate the policies in your other cluster.

Note: Make sure the users from Cluster1 are available in Cluster2 as well, otherwise Ranger will throw an exception when you create a policy for a user that doesn't exist.

Thats it 🙂

View solution in original post

6 REPLIES 6

avatar

@Neeraj Sabharwal Yes, but I am afraid not without a little bit of additional work. Maybe copying the database and adjusting some values like repo id, ranger address, etc. is an alternative to look into (not recommended though!). Here is the API-way 🙂

You can access all policies of a repository (e.g. hdfs/hadoop) by using:

http://<ranger_address>:6080/service/plugins/policies/download/<clustername>_hadoop

For example:

curl -ivk -H "Content-type:application/json" -u <user>:<password> http://<ranger_address>:6080/service/plugins/policies/download/bigdata_hadoop

This will return:

{
   "serviceName":"bigdata_hadoop",
   "serviceId":1,
   "policyVersion":23,
   "policyUpdateTime":1450245444000,
   "policies":[
      {
         "id":2,
         "guid":"1448089401967_197_71",
         "isEnabled":true,
         "createdBy":"Admin",
         "updatedBy":"Admin",
         "createTime":1448118201000,
         "updateTime":1449582864000,
         "version":5,
         "service":"bigdata_hadoop",
         "name":"Ranger_audits",
         "description":"",
         "resourceSignature":"6dbd7c49e533baa8082b48895acabf20",
         "isAuditEnabled":false,
         "resources":{
            "path":{
               "isRecursive":true,
               "values":[
                  "/apps/solr/ranger_audits"
               ],
               "isExcludes":false
            }
         },
         "policyItems":[
            {
               "users":[
                  "solr"
               ],
               "groups":[


               ],
               "delegateAdmin":false,
               "accesses":[
                  {
                     "isAllowed":true,
                     "type":"read"
                  },
                  {
                     "isAllowed":true,
                     "type":"write"
                  },
                  {
                     "isAllowed":true,
                     "type":"execute"
                  }
               ],
               "conditions":[


               ]
            }
         ]
      },
      {
         ...
	 ...
      }
      ...
   ],
   ...
   ...
   ...
}

After downloading all policies of a repo you can use the Rest calls I mentioned here => https://community.hortonworks.com/questions/10826/rest-api-url-to-configure-ranger-objects.html to recreate the policies in your other cluster.

Note: Make sure the users from Cluster1 are available in Cluster2 as well, otherwise Ranger will throw an exception when you create a policy for a user that doesn't exist.

Thats it 🙂

avatar
Master Mentor

@Jonas Straub Very nice! Thank you for sharing this. 🙂

avatar
Expert Contributor

@Jonas Straub, @Neeraj Sabharwal, @Sagar Shimpi : Guys, using this I could export the entire policy repository using :

<Ranger_Host:IP>/service/public/api/policy 

and also using

http://<ranger_address>:6080/service/plugins/policies/download/<clustername>_hadoop

I went through the link shared which talks about exporting policies one by one. Is there a way to export entire repository instead of exporting policies one after another?

avatar
Master Mentor

Our latest tutorial on ranger walls you through importing a policy with rest @Neeraj Sabharwal

avatar
Expert Contributor

I have used above API calls and executed on my cluster it worked below is the procedure I have followed for one hdfs service and one policy.

Objective:

Export ranger policies from cluster1 to cluster2

variables: <clustername>=DEVLHDP <policy_name>=<clustername>_hadoop-1-20160615193010

To download all policies from cluster1

http://ranger1:6080/service/plugins/policies/download/<clustername>_hadoop

get service from cluster1 ranger1

curl -iv -u admin:xxxx -H "Content-type:application/json" -X GET http://ranger1:6080/service/public/v2/api/service/name/<clustername>_hadoop

copy the json output to ranger-service.json

create service in new cluster2 ranger2

curl -iv -u admin:xxxxx -d @ranger-service.json -H "Content-Type: application/json" -X POST http://ranger2:6080/service/public/v2/api/service

Getting a sample policy from cluster1 ranger1

curl -iv -u admin:xxxxx -H "Content-type:application/json" -X GET http://ranger1:6080/service/public/v2/api/service/<clustername>_hadoop/policy/<clustername>_hadoop-1...

copy the json output to ranger_policy.json

create policy in new cluster2 ranger2

curl -iv -u admin:xxxxx -d @ranger_policy.json -H "Content-Type: application/json" -X POST http://ranger2:6080/service/public/v2/api/policy

Tested in HDP 2.4.2 which has Apache Ranger 0.5.2

Ref:

https://issues.apache.org/jira/browse/RANGER-1214

If this helped, pls vote/accept answer.

avatar
Expert Contributor