Ranger Tag-Sync
Overview¶
- Ranger supports access authorization based on tags associated with resources, in addition to resource-based access control. The tag-based policy model offers several advantages over the resource-based authorization model. One key advantage is that it supports the separation of resource classification from access authorization. This allows security administrators to conceptualize and author access policies across multiple components (such as HDFS, Hive) in terms of data type or class (a higher-level abstraction), rather than in terms of component-specific resources, as required by the resource-based model.
- The Ranger suite includes a module called Tag-Sync — short for Tag Synchronization Module — that enables the synchronization of tagging information (such as entity-tag associations and the values of tag attributes, if any) between a tag source (usually Atlas in the Apache-DGI ecosystem) and Ranger Admin.
- Tag-Sync module is implemented within Ranger as a stand-alone daemon process named Ranger-Tag-Sync.
Configuration¶
Tag-Sync configuration consists of providing property values to control the following aspects of the module. - Configuration of the source system (such as Atlas) - Configuration of the tag target (Ranger Admin, also referred to as TagAdmin) - Ranger Tag-Sync process control
To learn how to configure Tag-Sync in the Privacera, Please refer to the page Prerequisites for Ranger Tag-Sync