Apache Ranger Graduates to Top-Level Project
Apache Ranger, a security management framework for Apache Hadoop ecosystem, graduated to top level. Ranger is used as a centralized component to define and administer security policies that are enforced across supported Hadoop components such as Apache HBase, Hadoop (HDFS and YARN), Apache Hive, Apache Kafka, Apache Solr, among others.
Ranger provides a standard authorization method across the supported Hadoop components via access control policies. Being standard, it also provides a centralized component for auditing user access and for security related administrative actions across components.
Policies are defined and enforced with an attribute-based approach. In conjunction with Apache Atlas, a governance solution and metadata repository for Apache Hadoop, it is possible to define tag based security, by classifying files and data assets with tags, and controlling users and user groups accesses to a set of tags.
Ranger’s capabilities also include Dynamic Policies, when access depends on some dynamic factor such as time. It is possible to limit access to a resource based on time of the day, IP address or even geographical location.
Apache Ranger’s architecture is composed of a Ranger Policy Admin Server, that stores policies in a relational database (common deployments use MySQL). Each supported component (e.g. Hive, HDFS, etc.) runs the Ranger plugin that performs authorization checks for all the accessed resources (e.g. file, database, table, column). Authorizations are always based on the defined policies that are fetched from centralized Admin Server, by default every 30 seconds. Plugins work in case Admin Server is down, although the best practice is to configure it with high-availability.
Integration with external systems for authorization is another useful feature for the enterprise. The supported authentication mechanisms include LDAP/AD and Unix authentication. Ranger can write audit records into Apache Solr.