Actions and Permissions

In Apache Ranger, actions (also referred to as access types or privileges) define what operations are allowed or denied on a resource. These are essential components of any access control policy and vary depending on the type of service being secured.

What Are Actions?¶

Actions represent the specific operations a user, group, or role can perform on a resource. Examples include:

• SELECT: Read data from a table or column.
• INSERT: Add data to a table.
• DELETE: Remove records.
• READ: Access a file in ADLS, GCS, or S3.
• PUBLISH: Publish messages to a Kafka topic.
• CONSUME: Consume messages from a Kafka topic.

Each service definition in Ranger defines its own set of actions.

How Actions Are Defined¶

Actions are part of the Service Definition, which specifies:

• The list of supported access types.
• Whether each action supports masking, row-level filtering, or audit.

For example:

Allow vs Deny¶

• ALLOW: Grants the specified access to the principal (user/group/role).
• DENY: Explicitly denies the access, even if other ALLOW policies would otherwise permit it.

Policy Evaluation¶

When evaluating a request, Ranger:

1. Matches the resource against defined policies.
2. Evaluates the action (e.g., is SELECT allowed?).
3. Checks the applicable principals (user, group, role).
4. Applies DENY if a match exists (and is supported).
5. Applies ALLOW if no deny is found and a matching allow exists.

Fine-Grained Controls¶

Some actions support additional controls like:

• Masking: Only for SELECT on specific columns.
• Row-Level Filtering: Only for SELECT on rows.
• Access Conditions: Use ABAC or tag-based expressions for dynamic permissions.

Best Practices¶

• Use the least privilege principle: grant only necessary actions.
• Avoid using ALL or * unless needed for system roles.
• Use column masking and row filtering for sensitive data access.
• Audit and monitor actions using Ranger's audit capabilities.

Comments