Get fresh updates from Hortonworks by email

Once a month, receive latest insights, trends, analytics information and knowledge of Big Data.


Sign up for the Developers Newsletter

Once a month, receive latest insights, trends, analytics information and knowledge of Big Data.


Get Started


Ready to Get Started?

Download sandbox

How can we help you?

* I understand I can unsubscribe at any time. I also acknowledge the additional information found in Hortonworks Privacy Policy.
closeClose button
Apache Projects
Apache Ranger

Apache Ranger



Comprehensive security for Enterprise Hadoop

Apache Ranger delivers a comprehensive approach to security for a Hadoop cluster. It provides a centralized platform to define, administer and manage security policies consistently across Hadoop components.

What Ranger Does

Screen Shot 2015-10-27 at 10.00.27 AMApache Ranger offers a centralized security framework to manage fine-grained access control across:

Using the Apache Ranger console, security administrators can easily manage policies for access to files, folders, databases, tables, or column. These policies can be set for individual users or groups and then enforced consistently across HDP stack.

The Ranger Key Management Service (Ranger KMS) provides a scalable cryptographic key management service for HDFS “data at rest” encryption. Ranger KMS is based on the Hadoop KMS originally developed by the Apache community and extends the native Hadoop KMS functionality by allowing system administrators to store keys in a secure database.

Ranger also provides security administrators with deep visibility into their Hadoop environment through a centralized audit location that tracks all the access requests in real time and support multiple destination sources including HDFS and Solr.


How Ranger Works

Apache Ranger has a decentralized architecture with the following internal components:

Screen Shot 2016-09-07 at 4.27.16 PM

Component Description
Ranger admin portal The Ranger Admin portal is the central interface for security administration. Users can create and update policies, which are then stored in a policy database. Plugins within each component poll these policies at regular intervals. The portal also consists of an audit server that sends audit data collected from the plugins for storage in HDFS or in a relational database.
Ranger plugins Plugins are lightweight Java programs which embed within processes of each cluster component. For example, the Apache Ranger plugin for Apache Hive is embedded within Hiveserver2. These plugins pull in policies from a central server and store them locally in a file. When a user request comes through the component, these plugins intercept the request and evaluate it against the security policy. Plugins also collect data from the user request and follow a separate thread to send this data back to the audit server.
User group sync Apache Ranger provides a user synchronization utility to pull users and groups from Unix or from LDAP or Active Directory. The user or group information is stored within Ranger portal and used for policy definition.

Ranger can be deployed manually or can be deployed using Ambari, starting with Ambari 2.0.

Hortonworks Focus for Ranger

Focus Planned Enhancements
Extension of support Additional investments extend administration of authorization and auditing to more Hadoop components:
Deeper integration
  • API integration with HDFS
  • Support for new permissions within cluster components
Enterprise readiness
  • Centralizing audit for the entire platform
  • Enabling interactive audit queries through Solr
  • Global tag-based policies
Encryption Production-ready KMS to support HDFS Transparent Data Encryption

What's New in HDP 2.6

Export/Import of Ranger Security Policies

  • Seamless policy portability: Move security policies en masse from one environment to another
  • Easy bulk addition of policies
  • Bring security context along with data when it is copied between clusters/ environments

Incremental User Sync

  • Reduces time to sync changes for customers with large ADs
  • Helps reduce the lag time for policy to be effective based on user/group changes

Support for $username and other Macro Variables in Ranger Policies

  • Simplifies policy authoring and drastically reduces policy management overhead
  •  Write security policy once and apply it runtime for the current user making the request

Recent Progress in Ranger

The Atlas/ Ranger integration represents a paradigm shift for big data governance and security. By integrating Atlas with Ranger enterprises can now implement dynamic classification-based security policies, in addition to role-based security. Ranger’s centralized platform empowers data administrators to define security policy based on Atlas metadata tags or attributes and apply this policy in real-time to the entire hierarchy of data assets including databases, tables and columns.

Version Enhancements
Apache Ranger 0.7.0
  • Policy scalability
  • Enhanced policy constructs (macros)
  • Policy export/import
  • Incremental LDAP sync
  • Plugin policy version info
  • Hive show/describe columns authorization
Apache Ranger 0.6.0
  • Ranger policy model to support dynamic column masking for Hive
  • Ranger policy model to support row-filtering for Hive
  • Apache Atlas-Ranger integration to support classification (tag) based as well as other dynamic policies (location based, prohibition, data expiration)
  • Ranger-KMS – integration with Safenet Luna HSM appliances
  • Ranger Admin authentication with Knox SSO provider
  • Improved Reports page in Ranger Admin: Enhanced search by resource access, tags, policy type etc., Download report to an Excel or csv file
  • Audit scalability: Support for DB based audits removed, Solr used for indexing audit data and HDFS used for audit storage
  • Support multiple OU in LDAP search for Ranger usersync
  • Provide support to delete Users and Groups from Ranger Admin UI
  • Kerberos enable services for Ranger components
  • Group Based search support for Ranger user sync
  • LDAP configuration utility
  • Ranger to support Azure SQL Database
  • New example template project to write Ranger extensions
  • Apache Nifi authorization with Ranger
  • Ranger to allow for PAM based authentication
Apache Ranger 0.5.0
  • Pluggable architecture for Ranger – Ranger Stacks
  • Extend authorization and auditing to include Apache Solr, Kafka and Yarn
  • Ranger KMS to support HDFS Transparent Encryption
  • Hooks for creating dynamic policy conditions
  • Preserve metadata in Hive
  • Support near real time audit queries using Solr
  • Optimize and summarize audit data in source
  • Ranger to support PostGres and MS-SQL DB for storing policy data
  • Permission model to access Ranger UI modules
Apache Ranger 0.4.0
  • Support for authorization and audit in Apache Storm and Apache Knox
  • Integration with Apache Hive API, support of local grant/revoke permissions
  • Support grant/revoke in Apache HBase
  • Audit storage in HDFS
  • Windows support
  • REST APIs for policy manager
  • Support for Oracle database as a policy and audit store
HDP Advanced Security 3.5
  • Centralized security administration
  • Fine-grain access control for Apache Hadoop, Hive and HBase
  • Detailed resource auditing
  • Delegated administration
  • Audit of policy updates


Simplified, Comprehensive Hadoop Security with Ambari

Ambari 2.0 helps provision, manage and monitor Hadoop security in two ways. First, Ambari now simplifies the setup, configuration and maintenance of Kerberos for strong authentication in the cluster. Secondly, Ambari now includes support for installing and configuring Apache Ranger for centralized security administration, authorization and audit. For additional details view the Apache Ambari page.


Ranger Tutorials

Ranger in the Press

Webinars & Presentations