Updated on 2024-07-22 GMT+08:00

Migrating Permissions

Scenario

After metadata migration is complete, you can migrate metadata permissions to LakeFormation. After the migration is successful, the default owner bound to the metadata will have the metadata operation permissions.

Prerequisites

  • Metadata has been migrated. (For how to migrate metadata, see Migrating Metadata.)
  • You have obtained the permission to perform operations on OBS and have created an OBS parallel file system for storing data.
  • The permission policy files to be migrated have been exported and uploaded to the OBS parallel file system. For details about how to export permissions, contact the corresponding service support personnel.
  • Authorization entities (except roles) in the permission policy have been created in advance and their names are consistent. Metadata objects contained in the permission policy already exist and their names are consistent.
    If the migration type is set to DLF, the mapping and migration policies are as follows:
    • RAM user: IAM user (If the corresponding IAM user does not exist, the permission policy will not be migrated.)
    • RAM role: IAM user group (If the corresponding IAM user group does not exist, the permission policy will not be migrated.)
    • DLF role: LakeFormation role (If this role does not exist, it will be automatically created.)
  • If Policy Type is Ranger, only the allow permission of Ranger can be migrated. The deny permission cannot be migrated.

Procedure

  1. Log in to the LakeFormation console.
  2. In the upper left corner, click and choose Analytics > LakeFormation to access the LakeFormation console.
  3. Select the LakeFormation instance to be operated from the drop-down list on the left and choose Tasks > Permission Migration in the navigation pane on the left.
  4. Click Create Migration Task, set related parameters, and click Submit.

    Table 1 Creating a permission migration task

    Parameter

    Description

    Task Name

    Name of the permission migration task to be created.

    Description

    Description of the created migration task.

    Policy Type

    Type of the permission policy to be migrated.

    • DLF
    • RANGER

    Policy File Path

    Storage location of the permission policy file to be migrated in OBS.

    Policy File

    Name of the file whose permission policies are to be migrated.

    Log Path

    Storage location of logs generated during migration.

    Catalog ID

    Catalog name of the permission source. This parameter needs to be specified when Policy Type is set to DLF.

    Ranger Authorization Conversion Objects

    Parameter for specifying the conversion relationship between authorization objects of the Ranger permission policy. The prefix and suffix are added to the name of the authorization object.

    This parameter is displayed when Policy Type is set to RANGER.

    You need to configure User, User Group, Role, Prefix, and Suffix as well. You are advised to convert non-IAM users and non-IAM user groups in Ranger to roles.

  5. Click Run in the Operation column to run the migration task.

    Click View Log to view the logs generated during task running.

    • Before running a migration task, you need to authorize the task by referring to Granting the Job Management Permission.
    • If the task fails to be executed, you can click Start in the Operation column to retry after rectifying the fault.

    Click Edit or Delete in the Operation column to modify or delete a task.

    After the migration task is complete, you can click Data Permissions and Data Authorization to view the migrated LakeFormation permission policies.