Migrating to Starburst Enterprise 462-e or later#
Starburst Enterprise Platform (SEP) 462-e includes changes to configurations for the Apache Ranger integration.
As of 462-e, Hive Ranger connector-level access control is deprecated and replaced with Hive Ranger system-level access control. If you use Apache Ranger with SEP to control access to a Hive or Delta Lake catalog, follow this guide to migrate to 462-e or later.
Before beginning this migration, consider the following limitations:
hive-based-rangerdoes not support policy management with SQL.Column masks for partitioning columns are not supported. No error message is shown by
hive-based-rangerwhen a query tries to select a masked column which is a partitioning column.
Contact Starburst Support if you need additional help with these limitations.
Complete Ranger migration#
To migrate an Apache Ranger integration to SEP version 462-e and later:
Create a new
access-control.propertiesfile with the following example properties, specifying catalogs that were using Ranger access control:access-control.name=hive-based-ranger ranger.hive-based.catalogs=hive-catalog,delta-lake-catalog ranger.hive-based.fallback-access-control=ALLOW_ALL
Note
If you already have an
access-control.propertiesfile, you can useaccess-control.config-filesto specify multiple system access control systems. It should contain a comma-separated list of the access control property files to use.Move all Ranger-related properties from the
hive.propertiesfile to theaccess-control.propertiesfile:An example
hive.propertiesfile before the migration:connector.name=hive hive.metastore.uri=thrift://hive-metastore-node:9083 hive.metastore.authentication.type=KERBEROS hive.metastore.service.principal=hive/hive-metastore-node@EXAMPLE.COM hive.metastore.client.principal=hive/sep-server-node@EXAMPLE.COM hive.metastore.client.keytab=/etc/hive/conf/hive.keytab hive.hdfs.authentication.type=KERBEROS hive.hdfs.impersonation.enabled=false hive.hdfs.trino.principal=hdfs/sep-server-node@EXAMPLE.COM hive.hdfs.trino.keytab=/etc/hadoop/conf/hdfs.keytab hive.security=ranger ranger.policy-rest-url=https://ranger-host:6182 ranger.service-name=hive ranger.authentication-type=KERBEROS ranger.kerberos-principal=sep-server/sep-server-node@EXAMPLE.COM ranger.kerberos-keytab=/etc/sep/conf/sep-server.keytab ranger.plugin-policy-ssl-config-file=/etc/hive/conf/ranger-policymgr-ssl.xml
An example
hive.propertiesfile after the migration:connector.name=hive hive.metastore.uri=thrift://hive-metastore-node:9083 hive.metastore.authentication.type=KERBEROS hive.metastore.service.principal=hive/hive-metastore-node@EXAMPLE.COM hive.metastore.client.principal=hive/sep-server-node@EXAMPLE.COM hive.metastore.client.keytab=/etc/hive/conf/hive.keytab hive.security=allow-all hive.hdfs.authentication.type=KERBEROS hive.hdfs.impersonation.enabled=false hive.hdfs.trino.principal=hdfs/sep-server-node@EXAMPLE.COM hive.hdfs.trino.keytab=/etc/hadoop/conf/hdfs.keytab
An example
access-control.propertiesfile after the migration:access-control.name=hive-based-ranger ranger.hive-based.catalogs=hive-catalog ranger.hive-based.fallback-access-control=ALLOW_ALL ranger.policy-rest-url=https://ranger-host:6182 ranger.service-name=hive ranger.authentication-type=KERBEROS ranger.kerberos-principal=sep-server/sep-server-node@EXAMPLE.COM ranger.kerberos-keytab=/etc/sep/conf/sep-server.keytab ranger.plugin-policy-ssl-config-file=/etc/hive/conf/ranger-policymgr-ssl.xml
Verify you are not using the deprecated
ranger-system-access-controlvalue or the legacy valuelegacy-ranger-system-access-controlfor theaccess-control.nameconfiguration property. If you are, then remove the entire file and add the following property to the newaccess-control.propertiesfile created in step 1:access-control.name=hive-based-ranger
See the Hive Ranger documentation for more details about Hive, Delta Lake, and Iceberg access control with Apache Ranger.
There are no required changes related to Ranger policies. Global Ranger is unaffected. Contact Starburst Support in the event of any issues.
