Pivotal Knowledge Base

Follow

How to export the Ranger policy?

Environment

Product Version
Pivotal HD 3.x
Ranger 0.4, 0.5

Purpose

In order to upgrade the system or to migrate, it is required to export existing policies in the Ranger. This article provides the procedure to export Ranger policies via the Ranger API.

Procedure

An API call can be used to export Ranger policies.

In Ranger 0.5 and greater:

curl -ivk -H "Content-type:application/json" -u <Ranger admin user name>:<password> http://<Ranger admin host>:<Ranger service port>/service/plugins/policies/download/<policy name>

In Ranger 0.4:

curl -ivk -H "Content-type:application/json" -u<Ranger admin user name>:<password> http://<Ranger admin host>:<Ranger service port>/service/public/api/policy

Examples

  • Ranger 0.5+
[root@admin ~]# curl -ivk -H "Content-type:application/json" -u admin:admin http://admin.hadoop.local:6080/service/plugins/policies/download/hdfs_test_1
* About to connect() to admin.hadoop.local port 6080 (#0)
* Trying 192.168.4.50... connected
* Connected to admin.hadoop.local (192.168.4.50) port 6080 (#0)
* Server auth using Basic with user 'admin'
> GET /service/plugins/policies/download/hdfs_test_1 HTTP/1.1
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: admin.hadoop.local:6080
> Accept: /
> Content-type:application/json
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
Server: Apache-Coyote/1.1
< Content-Type: application/json
Content-Type: application/json
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Date: Wed, 04 May 2016 05:14:00 GMT
Date: Wed, 04 May 2016 05:14:00 GMT {"serviceName":"hdfs_test_1","serviceId":1,"policyVersion":1,"policyUpdateTime":1462338793000,"policies":[{"id":1,"guid":"1462338793540_165_64","isEnabled":true,"createdBy":"Admin","updatedBy":"Admin","createTime":1462309993000,"updateTime":1462309993000,"version":1,"service":"hdfs_test_1","name":"hdfs_test_1-1-20160504051313","description":"Default Policy for Service: hdfs_test_1","resourceSignature":"6f956063401eda656f1eae8870c1afac","isAuditEnabled":true,"resources":{"path":{"isRecursive":true,"values":["/"],"isExcludes":false}},"policyItems":[{"users":["admin"],"groups":[],"delegateAdmin":true,"accesses":[{"isAllowed":true,"type":"read"},{"isAllowed":true,"type":"write"},{"isAllowed":true,"type":"execute"}],"conditions":[]}]}],"serviceDef":{"id":1,"guid":"0d047247-bafe-4cf8-8e9b-d5d377284b2d","isEnabled":true,"createTime":1462309741000,"updateTime":1462309741000,"version":1,"name":"hdfs","implClass":"org.apache.ranger.services.hdfs.RangerServiceHdfs","label":"HDFS Repository","description":"HDFS Repository","configs":[{"label":"Username","rbKeyLabel":null,"rbKeyDescription":null,"itemId":1,"subType":"","mandatory":true,"validationRegEx":"","validationMessage":"","uiHint":"","rbKeyValidationMessage":null,"name":"username","type":"string","defaultValue":null,"description":null},{"label":"Password","rbKeyLabel":null,"rbKeyDescription":null,"itemId":2,"subType":"","mandatory":true,"validationRegEx":"","validationMessage":"","uiHint":"","rbKeyValidationMessage":null,"name":"password","type":"password","defaultValue":null,"description":null},{"label":"Namenode URL","rbKeyLabel":null,"rbKeyDescription":null,"itemId":3,"subType":"","mandatory":true,"validationRegEx":"","validationMessage":"","uiHint":"","rbKeyValidationMessage":null,"name":"fs.default.name","type":"string","defaultValue":null,"description":null},{"label":"Authorization Enabled","rbKeyLabel":null,"rbKeyDescription":null,"itemId":4,"subType":"YesTrue:NoFalse","mandatory":true,"validationRegEx":"","validationMessage":"","uiHint":"","rbKeyValidationMessage":null,"name":"hadoop.security.authorization","type":"bool","defaultValue":"false","description":null},{"label":"Authentication Type","rbKeyLabel":null,"rbKeyDescription":null,"itemId":5,"subType":"authnType","mandatory":true,"validationRegEx":"","validationMessage":"","uiHint":"","rbKeyValidationMessage":null,"name":"hadoop.security.authentication","type":"enum","defaultValue":"simple","description":null},{"label":null,"rbKeyLabel":null,"rbKeyDescription":null,"itemId":6,"subType":"","mandatory":false,"validationRegEx":"","validationMessage":"","uiHint":"","rbKeyValidationMessage":null,"name":"hadoop.security.auth_to_local","type":"string","defaultValue":null,"description":null},{"label":null,"rbKeyLabel":null,"rbKeyDescription":null,"itemId":7,"subType":"","mandatory":false,"validationRegEx":"","validationMessage":"","uiHint":"","rbKeyValidationMessage":null,"name":"dfs.datanode.kerberos.principal","type":"string","defaultValue":null,"description":null},{"label":null,"rbKeyLabel":null,"rbKeyDescription":null,"itemId":8,"subType":"","mandatory":false,"validationRegEx":"","validationMessage":"","uiHint":"","rbKeyValidationMessage":null,"name":"dfs.namenode.kerberos.principal","type":"string","defaultValue":null,"description":null},{"label":null,"rbKeyLabel":null,"rbKeyDescription":null,"itemId":9,"subType":"","mandatory":false,"validationRegEx":"","validationMessage":"","uiHint":"","rbKeyValidationMessage":null,"name":"dfs.secondary.namenode.kerberos.principal","type":"string","defaultValue":null,"description":null},{"label":"RPC Protection Type","rbKeyLabel":null,"rbKeyDescription":null,"itemId":10,"subType":"rpcProtection","mandatory":false,"validationRegEx":"","validationMessage":"","uiHint":"","rbKeyValidationMessage":null,"name":"hadoop.rpc.protection","type":"enum","defaultValue":"authentication","description":null},{"label":"Common Name for Certificate","rbKeyLabel":null,"rbKeyDescription":null,"itemId":11,"subType":"","mandatory":false,"validationRegEx":"","validationMessage":"","uiHint":"","rbKeyValidationMessage":null,"name":"commonNameForCertificate","type":"string","defaultValue":null,"description":null}],"resources":[{"label":"Resource Path","rbKeyLabel":null,"rbKeyDescription":null,"itemId":1,"mandatory":true,"validationRegEx":"","validationMessage":"","uiHint":"","rbKeyValidationMessage":null,"lookupSupported":true,"recursiveSupported":true,"excludesSupported":false,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":{"wildCard":"true","ignoreCase":"false"},"name":"path","parent":null,"type":"path","level":10,"description":"HDFS file or directory path"}],"accessTypes":[{"label":"Read","rbKeyLabel":null,"itemId":1,"impliedGrants":[],"name":"read"},{"label":"Write","rbKeyLabel":null,"itemId":2,"impliedGrants":[],"name":"write"},{"label":"Execute","rbKeyLabel":null,"itemId":3,"impliedGrants":[],"name":"execute"}],"policyConditions":[],"contextEnrichers":[],"enums":[{"itemId":1,"defaultIndex":0,"name":"authnType","elements":[{"label":"Simple","rbKeyLabel":null Connection #0 to host admin.hadoop.local left intact
* Closing connection #0
,"itemId":1,"name":"simple"},{"label":"Kerberos","rbKeyLabel":null,"itemId":2,"name":"kerberos"}]},{"itemId":2,"defaultIndex":0,"name":"rpcProtection","elements":[{"label":"Authentication","rbKeyLabel":null,"itemId":1,"name":"authentication"},{"label":"Integrity","rbKeyLabel":null,"itemId":2,"name":"integrity"},{"label":"Privacy","rbKeyLabel":null,"itemId":3,"name":"privacy"}]}]}}
  • Ranger 0.4
[root@admin ~]# curl -ivk -H "Content-type:application/json" -u admin:admin http://admin.hadoop.local:6080/service/public/api/policy
* About to connect() to admin.hadoop.local port 6080 (#0)
*   Trying 192.168.4.20... connected
* Connected to admin.hadoop.local (192.168.4.20) port 6080 (#0)
* Server auth using Basic with user 'admin'
> GET /service/public/api/policy HTTP/1.1
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: admin.hadoop.local:6080
> Accept: */*
> Content-type:application/json
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=FA78974217500C8C8D70BF6AA49389EC; Path=/; HttpOnly
Set-Cookie: JSESSIONID=FA78974217500C8C8D70BF6AA49389EC; Path=/; HttpOnly
< Content-Type: application/json
Content-Type: application/json
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Date: Thu, 02 Jun 2016 05:43:40 GMT
Date: Thu, 02 Jun 2016 05:43:40 GMT

<
* Connection #0 to host admin.hadoop.local left intact
* Closing connection #0
{"startIndex":0,"pageSize":1,"totalCount":1,"resultSize":1,"queryTimeMS":1464846220668,"vXPolicies":[{"id":1,"createDate":"2016-05-04T03:00:52Z","updateDate":"2016-05-04T03:00:52Z","owner":"Admin","updatedBy":"Admin","policyName":"hdfs_test_1-1-20160504030052","resourceName":"/","repositoryName":"hdfs_test_1","repositoryType":"HDFS","permMapList":[{"permList":["Unknown"]}],"isEnabled":true,"isRecursive":true,"isAuditEnabled":true,"version":"0.4.0.3.0.1.0-1","replacePerm":false}]}

URL http://<Ranger admin host>:<Ranger service port>/service/public/api/policy could also be loaded with a web browser to see proper formatted output.

Comments

Powered by Zendesk