Accessing Iceberg tables

CDP uses Apache Ranger to provide centralized security administration and management. The Ranger Admin UI is the central interface for security administration. You can use Ranger to create two policies that allow users to query Iceberg tables.

Using Ranger with Iceberg is a technical preview and not recommended for General Data Protection Regulation (GDPR) applications.

How you open the Ranger Admin UI differs from one CDP service to another. In Management Console, you can select your environment, and then click Environment Details > Quick Links > Ranger.

You log into the Ranger Admin UI, and the Ranger Service Manager appears.

The default policies that appear differ from service to service. You need to set up two Hadoop SQL policies to query Iceberg tables, and depending on your use case, you might want to include a third policy: an IAM policy to secure access to your data storage:

  • One to authorize users to access the Iceberg files

    Follow steps in "Edit a policy to access Iceberg files" below.

  • One to authorize users to query Iceberg tables

    Follow steps in "Creating a policy to query an Iceberg table" below.

  • An optional IAM policy for data storage

    Until Ranger with Iceberg policies are GA, if you need tight security, use "S3 buckets, IAM roles, and policies for logs, backups, and data storage" in addition to the Hadoop SQL Storage Handler policy to secure Iceberg files on your object store.

You can find complete Ranger documentation for Public Cloud in "Security".


  • Obtain the RangerAdmin role.
  • Get the user name and password your Administrator set up for logging into the Ranger Admin.

    The default credentials for logging into the Ranger Admin Web UI are admin/admin123.