Migrating Permissions

Scenario

After metadata migration is complete, you can migrate metadata permissions to LakeFormation. After the migration is successful, the default owner bound to the metadata will have the metadata operation permissions.

Prerequisites

Metadata has been migrated. (For how to migrate metadata, see Migrating Metadata.)
You have obtained the permission to perform operations on OBS and have created an OBS parallel file system for storing data.
Export the permission policy files to be migrated and upload them to the OBS parallel file system. For details about how to export permissions, contact the corresponding service support personnel.
Authorization entities (except roles) in the permission policy have been created in advance and their names are consistent. Metadata objects contained in the permission policy already exist and their names are consistent.
If the migration type is set to DLF, the mapping and migration policies are as follows:
- RAM user: IAM user (If the corresponding IAM user does not exist, the permission policy will not be migrated.)
- RAM role: IAM user group (If the corresponding IAM user group does not exist, the permission policy will not be migrated.)
- DLF role: LakeFormation role (If this role does not exist, it will be automatically created.)
If Policy Type is Ranger, only the allow permission of Ranger can be migrated. The deny permission cannot be migrated.

Procedure

Log in to the LakeFormation console.
In the upper left corner, click and choose Analytics > LakeFormation to access the LakeFormation console.
Select the LakeFormation instance to be operated from the drop-down list on the left and choose Tasks > Permission Migration in the navigation pane on the left.

Click Create Migration Task, set related parameters, and click Submit.

**Table 1** Creating a permission migration task
Parameter	Description
Task Name	Name of the permission migration task to be created.
Description	Description of the created migration task.
Policy Type	Type of the permission policy to be migrated. DLF RANGER
Log Path	Storage location of logs generated during migration.
Policy File Path	Storage location of the permission policy file to be migrated in OBS.
Policy File	Name of the file whose permission policies are to be migrated.
Catalog ID	Catalog name of the permission source. This parameter needs to be specified when Policy Type is set to DLF.
Authorization Conversion Objects	Parameter for specifying the conversion relationship between authorization objects a permission policy. The prefix and suffix are added to the name of the authorization object. You need to configure User, User Group, Role, Prefix, and Suffix as well. You are advised to convert non-IAM users and non-IAM user groups to roles. This parameter is not required if the Permission Policy Type is DLF.
Event Notification Policy (Currently, this function is in the OBT phase.)	(Optional) Once this option is configured, a notification (via SMS or email) will be sent when a specific event (such as task success or failure) occurs. Event Notification: If this function is enabled, event notifications will be activated. Event Notification Topic: Select the topic to be notified. You can configure the topic using Simple Message Notification (SMN) on the management console. Event: Specifies the status of the topic to be notified. The value can be either Task succeeded or Task failed.

Click Run in the Operation column to run the migration task.

Click View Log to view the logs generated during task running.
- Before running a migration task, you need to authorize the task by referring to Granting the Job Management Permission.
- If the task fails to be executed, you can click Start in the Operation column to retry after rectifying the fault.
Click Edit or Delete in the Operation column to modify or delete a task.

After the migration task is complete, you can click Data Permissions and Data Authorization to view the migrated LakeFormation permission policies.