Differences between built-in access control and Apache Ranger#

This document lists the most important differences between built-in access control and system access control using Apache Ranger.

Built-in access control overview provides configuration instructions and a terminology overview.
Built-in access control roles describes the roles-first approach of this system.
Built-in access control privileges describes the entities that can be tracked and the privileges settable on each.
This page compares the built-in system with Ranger.

Unsupported features#

The following Ranger features are not available with built-in access control:

Concept of an OWNERSHIP privilege.
Security zones.
Tag-based policies.
Ranger’s ALL privilege is not supported; instead, a separate grant is created for each supported privilege. You can run the command SET ROLE ALL, but this enables only the privileges listed in SQL support and limitations.
Wildcard resource policies:
- In the built-in system, it is not possible to create a grant on all tables with names starting with the same prefix.
- However, it is possible to create a grant on all tables in a schema. That is, in Ranger you can specify all tables with a direct * wildcard for the table entity. However, in the built-in system, you first select a schema, an entity of its own, and can then wildcard all tables in that schema.
Sharing access policies between clusters is not supported, because there is no central service that manages access control data.

Behavioral differences#

In Ranger, each user has all assigned roles enabled by default, except the admin role, which is never enabled automatically. Similarly in the built-in access control system, each user has all assigned roles enabled by default, except the sysadmin role.

However, with built-in access control, it is possible to assume one specific role using SET ROLE. In Ranger, this is not possible.

Semantic differences#

Ranger’s privilege to modify a property’s value is SET, while in built-in access control, it is UPDATE.
Ranger’s privilege to list queries is SELECT, while in built-in access control, it is SHOW.
Built-in access control has a separate privilege, SHOW, to allow SHOW CREATE. In Ranger, the action is allowed whenever the user has one of CREATE, ALTER, or DROP privileges on the entity.

Other differences#

The built-in access control does not store any information about users and groups; users are only identified by a name, and group membership is determined by an authentication system and/or a group provider.

However, the built-in access control system stores information about roles, because they are the focus of the RBAC model.