Ranger Security and Data Fabric Security

Describes how Ranger security supplements the security features provided by the HPE Ezmeral Data Fabric.

Ranger Manages Security for Ecosystem Components

Security for the HPE Ezmeral Data Fabric ensures that platform services can communicate securely and that users can successfully leverage those services. The HPE Ezmeral Data Fabric supports all four pillars of security (authentication, authorization, auditing, and encryption) without external security tools. The pillars are supported through a combination of technologies, including Data Fabric SASL, PAM, and tickets.

Ranger security provides an easy-to-use, optional security framework that is implemented on top of the existing platform security. Ranger allows you to manage security for HPE Ezmeral ecosystem components. Ranger is available for users who are migrating from other platforms and who want a familiar security interface on the HPE Ezmeral Data Fabric.

Ranger Limitations

Ranger does not integrate with data-fabric platform security. You must manage Ranger security separately from Data Fabric security. To manage Ranger security, see Getting Started with Ranger. To manage Data Fabric security, see Security.

You can use Ranger to manage security for ecosystem components if a Ranger plug-in is available to support the component. In EEP 9.0.0, Ranger provides security for Hive operations, as only the Hive plug-in is currently available. Other plug-ins are being developed to expand Ranger's capabilities on the Data Fabric platform.

While Data Fabric security can be extended to support a secure trust relationship between two or more clusters, using Ranger across multiple Data Fabric clusters is currently not supported.

Data Fabric Security Invoked Before Ranger Security

Ranger is another component in the HPE Ezmeral Data Fabric ecosystem. Like the other ecosystem components, Ranger leverages platform security. Ranger services use Data Fabric security to communicate with each other. For example, Ranger clients (plug-ins) authenticate themselves to the Ranger Admin service using Data Fabric SASL tickets.

Using the Hive plug-in, Ranger can manage which users execute certain types of Hive Metastore queries. Both Hive and Ranger use Data Fabric SASL for service communications. Hive uses Data Fabric SASL for authentication, and also uses Ranger for authorization.

Data Fabric security is invoked before Ranger security. If a Ranger-authorized user attempts to perform an operation that the user is not authorized to perform on the platform, platform security disallows the operation. And the Ranger plug-in cannot enforce any rule governing the operation. For example, Ranger is invoked only after Hive is started properly and accessed by a user who performs a query. Data Fabric security manages all of those operations.