Differences between built-in access control and Apache Ranger#

This document lists the most important differences between built-in access control and system access control using Apache Ranger.

Unsupported features#

The following Ranger features are not available with built-in access control:

  • Concept of an OWNERSHIP privilege.

  • Security zones.

  • Tag-based policies.

  • Deny-policies.

  • Column masking.

  • Row filters.

  • Ranger’s ALL privilege is not supported; instead, a separate grant is created for each supported privilege. You can run the command SET ROLE ALL, but this enables only the privileges listed in SQL support and limitations.

  • Wildcard resource policies:

    • In the built-in system, it is not possible to create a grant on all tables with names starting with the same prefix.

    • However, it is possible to create a grant on all tables in a schema. That is, in Ranger you can specify all tables with a direct * wildcard for the table entity. However, in the built-in system, you first select a schema, an entity of its own, and can then wildcard all tables in that schema.

  • Sharing access policies between clusters is not supported, because there is no central service that manages access control data.

Behavioral differences#

In Ranger, each user has all assigned roles enabled by default, except the admin role, which is never enabled automatically. Similarly in the built-in access control system, each user has all assigned roles enabled by default, except the sysadmin role.

However, with built-in access control, it is possible to assume one specific role using SET ROLE. In Ranger, this is not possible.

Semantic differences#

  • Ranger’s privilege to modify a property’s value is SET, while in built-in access control, it is UPDATE.

  • Ranger’s privilege to list queries is SELECT, while in built-in access control, it is SHOW.

  • Built-in access control has a separate privilege, SHOW, to allow SHOW CREATE. In Ranger, the action is allowed whenever the user has one of CREATE, ALTER, or DROP privileges on the entity.

Other differences#

The built-in access control does not store any information about users and groups; users are only identified by a name, and group membership is determined by an authentication system and/or a group provider.

However, the built-in access control system stores information about roles, because they are the focus of the RBAC model.