- http://ranger.apache.org/

The following figure shows the working of Apache Ranger. Ranger provides authorization capabilities for a wide range of products and technologies in the Hadoop ecosystem.

Figure 13: Working of Apache Ranger (figure inferred from Hortonworks)

Ranger’s authorization methodology is based on Attribute Based Access Control (ABAC). ABAC is based on four attributes namely subject, action, resource and environment.

As shown in the preceding figure, the Ranger plugin is installed along with the product for that authorization needs to be enforced. Ranger synchronizes user data with the enterprise directory (where user credential are stored) and uses that to set up appropriate security policies by security administrators. These security policies are set by the administrators and is persisted. When a user tries to access data in the products where Ranger plugin is installed, it retrieves the policies stored and does appropriate checks before user getting access to the data that they require. Apache Ranger supports HDFS, Hive, HBase, Storm, Solr, Kafka and Knox in the Hadoop ecosystem.

In addition to authorization (it's core capability), it also captures and persists various audit activities. These captured data can be quite useful when track and trace of a particular activity has to be conducted.

Apache Ranger is started and owned by Hortonworks and because of this it has good compatibility with the Hortonworks Hadoop distribution.

Apache Ranger work in conjunction with Apache Knox and in fact complements each other in many ways to achieve the objective of security.