Access Policy Definition in Apache Ranger¶
Apache Ranger provides a unified policy model to control access to data across a variety of services. Policies in Ranger define who can perform what actions on which resources under what conditions. The policy framework supports multiple levels of access control, allowing enterprises to implement both coarse-grained and fine-grained security controls.
Overview¶
Apache Ranger provides a unified policy model for controlling data access across various services. Policies define who can perform what actions on which resources under what conditions. The policy framework supports multiple levels of access control, allowing enterprises to implement both coarse-grained and fine-grained security controls.
Prerequisites¶
Before working with access policies, you should be familiar with: - Basic concepts of access control - Your organization's security requirements - The data services you need to protect - User and group management in your environment
Policy Evaluation Flow¶
In Apache Ranger, by default permissions are DENY unless explicitly allowed. Even if there is an ALLOW policy, there are checks like Policy Conditions or explicit DENY policies that can override the ALLOW policy.
DENY Policy Support
DENY policies are not supported by all connectors, particularly PolicySync Connectors. For specific details, refer to the respective connector documentation.
The following flowchart illustrates how Apache Ranger evaluates access requests:
flowchart TD
A[Request to access resource] --> B[Obtain tags]
B --> C[Check tag deny]
C -- Yes --> D1[[DENY]]
C -- No --> D[Check resource deny]
D -- Yes --> D1
D -- No --> E[Check tag allow]
E -- Yes --> C1[Check Tag Conditions is True]
C1 -- Yes --> F1[[ALLOW]]
C1 -- No --> F[Check resource allow]
E -- No --> F
F -- No --> D1
F -- Yes --> C2[Check Resource Conditions is True]
C2 -- Yes --> F1Types of Policies¶
Apache Ranger supports three core types of access policies:
1. Resource-Based Policies¶
These are the most common policies in Ranger and are tied directly to specific resources such as databases, tables, or file paths. They are primarily used for Role-Based Access Control (RBAC).
Examples: * Allow SELECT on table sales_data to the group analysts. * Deny DELETE on S3 path /archive/ to the user temp_user.
Read Resource-Based Policies for more details.
2. Tag-Based Policies¶
Tag-based policies allow access control based on classification tags rather than specific resource names. These policies are defined in a dedicated Tag Service and are evaluated based on the tags associated with the resource.
Examples: * Allow access to all data tagged PII only to users in the compliance_team. * Mask columns tagged Confidential for non-admin users.
Read Tag-Based Access Control for more details.
3. Attribute-Based Access Control (ABAC)¶
ABAC policies use dynamic expressions based on user, group, or resource attributes to enforce access control. These expressions can be included in policy conditions, masking rules, or row-level filters.
Examples: * Allow access only if ${{USER.department}} == 'finance'. * Allow access to rows where region = ${{USER.region}}.
Read Attribute-Based Access Control for more details.
Policy Details¶
Policies in Apache Ranger contain several fields that define the target resource (or tags), who has access, what type of access is granted or denied, and under what conditions. Below are the key components:
Policy Field Requirements
Not all fields are mandatory. Also, details for Resource, Tag-Based, and Row-Level policies are under different menu structures.
Basic Policy Information¶
| Field | Description |
|---|---|
| Policy Name | A unique name for identifying the policy. |
| Description | Optional field to describe the policy's purpose. |
| Resource | One or more data entities the policy applies to (e.g., database, table, column, path). |
| Tags | Tags (if any) used to classify the resource and apply tag-based policies. |
Access Control Components (Policy Items)¶
These are the set of allow or deny rules that map users/groups/roles to access types. There can be multiple policy items within a single policy.
| Field | Description |
|---|---|
| Principals | Users, groups, or roles to which the policy applies. |
| Access Types | The operations granted or denied (e.g., SELECT, READ, WRITE, DELETE). |
| Conditions | Optional logic (e.g., ABAC expressions or time validity macros) to refine policy enforcement. |
| Masking/Filtering | Optional rules for masking or row-level filtering, usually for SELECT access. |
| Delegate Admin | Specifies if a user or group has permission to manage the policy. |
| Enabled | Determines if the policy is active. |
Each policy can have multiple policy items, and within each item, you can define specific users, groups, roles, access types, and even conditions.
Ranger Plugin Policy Evaluation Logic¶
Overview¶
The Ranger plugin determines which policies to apply during resource evaluation based on the security zone association of the resource.
Policy Selection Rules¶
Rule 1: Resource with Single Security Zone¶
When: A resource is associated with exactly one security zone
Action: Use only the tag and resource policies defined for that specific security zone
Example: If a database table belongs to the "Production" security zone, only policies configured for the "Production" zone will be evaluated.
Rule 2: Resource with No Security Zone or Multiple Security Zones¶
When: A resource either:
- Is not associated with any security zone(default zone), OR
- Is associated with multiple security zones
Action: Use the default zone's tag and resource policies for evaluation
Example: If a file has no zone assignment or belongs to both "Development" and "Testing" zones, the default zone policies will be applied.
Summary¶
- Single zone assignment → Use that zone's policies
- No zone or multiple zones → Use default zone policies
This ensures consistent policy enforcement while allowing zone-specific configurations when appropriate.
Setup Required for Enforcing Tag Policies¶
Association of Services:
- It is mandatory, the resource service must be associated with the tag service.
Configuration in Security Zones:
- For resources configured in a security zone, the tag services associated with the resource service must also be configured in the same security zone for the tag policies to be enforced.
Example: If a security zone named s3_zone is created with the privacera_s3 service and access is managed using tag-based policies under the privacera_tag service, then the privacera_tag service must also be added to the privacera_s3 repository and associated with the s3_zone.
Note
If a tag service is not associated with the security zone or a resource service, policy enforcement will be carried out through the Access policies configured within that security zone.
Policy Precedence
In general, tag-based policies take precedence over resource-based policies during evaluation. When both tag and resource policies are applicable to a resource, the tag policies are evaluated first in the policy evaluation flow. This precedence rule applies to both zone-based and default zone policies as well
Related Topics¶
- Resource-Based Policies
- Tag-Based Access Control
- Attribute-Based Access Control
- Policy Conditions
- Row-Level Filtering
- Prev topic: About OLAC
- Next topic: Resource-Based Policies