Help Center/ DataArts Lake Formation/ User Guide/ Migrating Metadata and Permissions to LakeFormation/ Migrating Metadata Permissions to LakeFormation
Updated on 2025-07-31 GMT+08:00
View PDF
Share

Migrating Metadata Permissions to LakeFormation

Scenario

After metadata migration is complete, you can migrate metadata permissions to LakeFormation. After the migration is successful, the default owner bound to the metadata will have the metadata operation permissions.

Prerequisites

  • Metadata has been migrated. (For how to migrate metadata, see Migrating Metadata to LakeFormation Using Metadata Migration.)
  • You have obtained the permission to perform operations on OBS and have created an OBS parallel file system for storing data.
  • Export the permission policy files to be migrated and upload them to the OBS parallel file system. For details about how to export permissions, contact the corresponding service support personnel.
  • Authorization entities (except roles) in the permission policy have been created in advance and their names are consistent. Metadata objects contained in the permission policy already exist and their names are consistent.
    If the migration type is set to DLF, the mapping and migration policies are as follows:
    • RAM user: IAM user (If the corresponding IAM user does not exist, the permission policy will not be migrated.)
    • RAM role: IAM user group (If the corresponding IAM user group does not exist, the permission policy will not be migrated.)
    • DLF role: LakeFormation role (If this role does not exist, it will be automatically created.)
  • If Policy Type is Ranger, only the allow permission of Ranger can be migrated. The deny permission cannot be migrated.

Procedure

  1. Log in to the LakeFormation console.
  2. Select the LakeFormation instance to be operated from the drop-down list on the left and choose Jobs > Job Authorization in the navigation pane.

    Click Authorize to grant the job management permissions of LakeFormation to the current user. If authorization has been completed, skip this step.

    To cancel the permission, click Cancel Authorization.

    After the authorization is approved, LakeFormation automatically creates an agency named lakeformation_job_trust. Do not delete the agency during job running.

  3. In the navigation pane, choose Jobs > Permission Migration.
  4. Click Create Migration Job, set related parameters, and click Submit.

    Table 1 Creating a permission migration job

    Parameter

    Description

    Job Name

    Name of the permission migration job to be created.

    Description

    Description of the created migration job.

    Policy Type

    Type of the permission policy to be migrated.

    • DLF
    • RANGER

    Policy File Path

    Storage location of the permission policy file to be migrated in OBS.

    Policy File

    Name of the file whose permission policies are to be migrated.

    Log Path

    Storage location of logs generated during migration.

    Catalog ID

    Catalog name of the permission source.

    This parameter needs to be specified when Policy Type is set to DLF.

    Authorization Conversion Objects

    Parameter for specifying the conversion relationship between authorization objects a permission policy. The prefix and suffix are added to the name of the authorization object.

    You need to configure User, User Group, Role, Prefix, and Suffix as well. You are advised to convert non-IAM users and non-IAM user groups to roles.

    This parameter is not required if the Permission Policy Type is DLF.

    Event Notification Policy

    (Currently, this function is in the OBT phase.)

    (Optional) Once this option is configured, a notification (via SMS or email) will be sent when a specific event (such as job success or failure) occurs.

    • Event Notification: If this function is enabled, event notifications will be activated.
    • Event Notification Topic: Select the topic to be notified. You can configure the topic using Simple Message Notification (SMN) on the management console.
    • Event: Specifies the status of the topic to be notified. The value can be either Job succeeded or Job failed.

  5. Click Run in the Operation column to run the migration job.

    • Before running a migration job, you need to authorize the job by referring to 2.
    • If the job fails to be executed, you can click Start in the Operation column to retry after the fault is rectified.
    • Click View Log in the Operation column to view the logs generated during job running. You can click Click here to view complete log to view the complete log.
    • View Job instead of View Log may be displayed on the page. In this case, perform the following operations to view logs:
      1. Click View Log in the Operation column to view the job execution status.
      2. In the displayed dialog box, click Click here to view complete log to view the logs generated during job running.
    • Click Edit or Delete in the Operation column to modify or delete a job.

  6. After the migration job is complete, you can click Data Permissions and Data Authorization to view the migrated LakeFormation permission policies.