Apache Ranger

Apache Ranger is a framework to enable, monitor and manage comprehensive data security across the platform.

Apache Ranger is used for creating and managing policies to access data and other related objects for all services in the CDP stack and features a number of improvements over earlier versions:

  • Prior to CDP, Ranger only supported users and groups in policies. In CDP, Ranger has also added the 'role' functionality that existed in Apache Sentry previously. A role is a collection of rules for accessing a given object. Ranger gives you the option to assign these roles to specific groups. Ranger policies can then be set for roles or directly on groups or individual users, and then enforced consistently across all the CDP services.

  • One of the key changes introduced in CDP for former CDH users is the replacement of Apache Sentry with Apache Ranger which offers a richer range of plugins for YARN, Kafka, Hive, HDFS and Solr services.HDP customers will benefit from the new Apache Ranger RMS feature which synchronises Hive table-level authorisations with the HDFS file system previously available in Apache Sentry (see, An Introduction to Ranger RMS).

More broadly Apache Ranger provides:

  • Centralized Administration interface and API

  • Standardized authentication method across all components

  • Supports multiple authorization methods such as Role based access control and attribute based access control

  • Centralized auditing of admin and audit actions

Apache Ranger features a number of components:

  • Administration portal UI and API

  • Ranger Plugins, lightweight Java plugins for each component designed to pull in policies from the central admin service and stored locally. Each user request evaluated against the policy capturing the request and shipping via a separate audit event to the Ranger audit server.

  • User Group Sync, synchronization of users and group memberships from UNIX and LDAP and stored by the portal for policy definition

Customers will typically deploy SSSD or similar such technology in order to resolve at the OS a user's group memberships. The Ranger Audit server will then index those events using the cluster’s Solr Infrastructure service to facilitate analysis and reporting.

Security Zones

Security zones enable you to arrange your Ranger resource and tag based policies into specific groups in order that administration can be delegated. For example in a specific security zone:

  • Security zone "finance" includes all content in a "finance" Hive database.

  • Users and groups can be designated as administrators in the security zone.

  • Users are allowed to set up policies only in security zones in which they are administrators.

  • Policies defined in a security zone are applicable only for resources of that zone.

  • A zone can be extended to include resources from multiple services such as HDFS, Hive, HBase, Kafka, etc., allowing administrators of a zone to set up policies for resources owned by their organization across multiple services.