Differences between built-in access control and Apache Ranger#
This document lists the most important differences between built-in access control and system access control using Apache Ranger.
Built-in access control overview provides configuration instructions and a terminology overview.
Built-in access control roles describes the roles-first approach of this system.
Built-in access control privileges describes the entities that can be tracked and the privileges settable on each.
This page compares the built-in system with Ranger.
The following Ranger features are not available with built-in access control:
Concept of an
ALLprivilege is not supported; instead, a separate grant is created for each supported privilege. You can run the command
SET ROLE ALL, but this enables only the privileges listed in SQL support and limitations.
Wildcard resource policies:
In the built-in system, it is not possible to create a grant on all tables with names starting with the same prefix.
However, it is possible to create a grant on all tables in a schema. That is, in Ranger you can specify all tables with a direct
*wildcard for the table entity. However, in the built-in system, you first select a schema, an entity of its own, and can then wildcard all tables in that schema.
Sharing access policies between clusters is not supported, because there is no central service that manages access control data.
In Ranger, each user has all assigned roles enabled by default, except the
admin role, which is never enabled automatically. Similarly in the built-in
access control system, each user has all assigned roles enabled by default,
However, with built-in access control, it is possible to assume one specific
SET ROLE. In Ranger, this is not possible.
Ranger’s privilege to modify a property’s value is
SET, while in built-in access control, it is
Ranger’s privilege to list queries is
SELECT, while in built-in access control, it is
Built-in access control has a separate privilege,
SHOW, to allow
SHOW CREATE. In Ranger, the action is allowed whenever the user has one of
DROPprivileges on the entity.
The built-in access control does not store any information about users and groups; users are only identified by a name, and group membership is determined by an authentication system and/or a group provider.
However, the built-in access control system stores information about roles, because they are the focus of the RBAC model.