Apache Ranger is a security framework that implements fine-grained access control across Hadoop components in a centralized manner. The Hadoop components include HDFS, Hive, YARN, Kafka, Storm, and Solr. You can manage access policies on the Ranger UI.
Architecture

- Ranger Admin
You can use Ranger Admin to create and update access policies. The policies are stored in a database. The plug-ins for Hadoop components poll the access policies on a regular basis.
- Ranger Plug-ins
The plug-ins for Hadoop components are embedded in cluster processes as lightweight Java programs. For example, the Hive plug-in is embedded in the Hiveserver2 process. The plug-ins obtain policies from Ranger Admin and store the policies in local files. When Ranger receives a request from a user of a Hadoop component, the plug-in for the component obtains the request, and then evaluates the request based on the access policies.
- Ranger UserSync
UserSync is a user information synchronization tool. It is used to fetch user and user group information from the UNIX system or an LDAP server. The information is stored in the database of Ranger Admin and is used to define policies.
Add the Ranger service to a cluster
- If you are creating a Hadoop cluster of EMR V2.9.2, EMR V3.9.0, or a later minor version,
select Ranger from optional services in the Software Settings step.
- If you want to enable Ranger for an existing Hadoop cluster of EMR V2.9.2, EMR V3.9.0,
or a later minor version, add the Ranger service on the Cluster Management page. Note You can configure access policies for Linux users and LDAP users in your cluster in Ranger.
Access the Ranger UI
Before you access the Ranger UI, make sure that a security group is configured, which indicates that you are allowed to access the Hadoop cluster on the current network. For more information, see Access the web UIs of open source components.
Integrate components with Ranger
You can use plug-ins to integrate the open source components in the cluster with Ranger. After a component is integrated, you can use Ranger to implement fine-grained access control on the component.
Manage users
FAQ
Q: What do I do if I cannot log on to the Ranger UI with the default password?
- Log on to the master node of your cluster. For more information, see Log on to a cluster.
- Run the following command to reset the password of the admin user:
mysql -urangeradmin -prangeradmin update ranger.x_portal_user set password="ceb4f32325eda6142bd65215f4c0f371" where login_id="admin";