All Products
Search

This Product

    E-MapReduce:Ranger

    Document Center

    E-MapReduce:Ranger

    Last Updated:Nov 21, 2025

    Apache Ranger is a security framework that provides centralized, fine-grained access control for Hadoop components, such as HDFS, Hive, and YARN. The Ranger web UI lets you manage permissions on these components.

    Ranger components

    Ranger consists of three modules:
    • Ranger Admin

      You can use Ranger Admin to create and update access policies. The policies are stored in a database. The plug-ins for Hadoop components poll the access policies on a regular basis.

    • Ranger Plug-ins

      The plug-ins for Hadoop components are embedded in cluster processes as lightweight Java programs. For example, the Hive plug-in is embedded in the Hiveserver2 process. The plug-ins obtain policies from Ranger Admin and store the policies in local files. When Ranger receives a request from a user of a Hadoop component, the plug-in for the component obtains the request, and then evaluates the request based on the access policies.

    • Ranger UserSync

      UserSync is a user information synchronization tool. It is used to fetch user and user group information from the UNIX system or an LDAP server. The information is stored in the database of Ranger Admin and is used to define policies.

    Access the Ranger UI

    1. Add a security group rule to allow access through port 8443. For more information, see Add a security group rule.

    2. Go to the Access Links and Ports tab.

      1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.

      2. In the top menu bar, select the desired region and resource group.

      3. On the EMR on ECS page, click the name of the target cluster.

      4. Click the Access Links and Ports tab.

    3. On the Access Links and Ports page, click the link in the Ranger UI row.

    4. On the Ranger UI log on page, enter the username and password.

      • Data lake scenario (DataLake clusters)

        • EMR 3.44.0 and later, and EMR 5.10.0 and later

          The default username is admin, and the default password is Admin1234.

        • Versions earlier than EMR 3.44.0 and EMR 5.10.0

          The default username is admin, and the default password is admin1234.

      • Legacy data lake scenario (Hadoop clusters)

        The default username and password are both admin.

      If you forget the default password, see the FAQ section.

    5. After you log on for the first time, change the password and save it in a secure place.

      Note

      In versions earlier than EMR-3.53.0 and EMR-5.19.0 , you do not need to change the password. If you use the Ranger UI to change the password for the admin user, errors may occur in some components or logs:

      Request failed. loginId=null, logMessage="RANGER_ERROR_SERVICE_NOT_FOUND: ServiceName=emr-dls"
javax.ws.rs.WebApplicationException: null

      This error occurs because other services in the cluster still use the old password to connect to Ranger Admin, which causes authentication to fail.

      Solution: Change the password back to the initial password.

      mysql -urangeradmin -prangeradmin1234 
update ranger.x_portal_user set password="257e4521fee681b67583e2e7a4ac1c28" where login_id="admin";

      1. Click Settings at the top.

      2. Change the password for admin.

      3. In the upper-right corner, click admin > Log Out.

        You can then log on with the new password.

    FAQ

    If I change the administrator password in the Ranger UI, how do I ensure that the access control feature continues to work correctly?

    For clusters that run EMR V3.53.0 or later, or EMR V5.19.0 or later, if you change the administrator password in the Ranger UI, you must also update the ranger.admin.password configuration item on the Configuration tab of the Ranger service in the EMR console. Otherwise, enabling or disabling Ranger access control for components may fail.

    1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.

    2. Go to the Ranger service configuration page.

      1. In the Actions column of the target cluster, click Cluster Service.

      2. In the Ranger service section, click Configure.

    3. Search for the ranger.admin.password configuration item and change its value to the new password that you set in the Ranger UI.

    4. Save the configuration and follow the prompts to apply the changes.

    What do I do if I forget my password and cannot log on to the Ranger UI?

    Follow these steps:

    1. Log on to the master node of the cluster. For more information, see Log on to a cluster.

    2. Run the appropriate command to reset the admin password to the initial password.

      • DataLake clusters

        • EMR 3.44.0 and later, and EMR 5.10.0 and later

          mysql -urangeradmin -pRangeradmin1234 
update ranger.x_portal_user set password="07e47d323c1c36c1dc2cc3966027d6f9" where login_id="admin";

        • Versions earlier than EMR 3.44.0 and EMR 5.10.0

          mysql -urangeradmin -prangeradmin1234 
update ranger.x_portal_user set password="257e4521fee681b67583e2e7a4ac1c28" where login_id="admin";

      • Hadoop clusters

        mysql -urangeradmin -prangeradmin 
update ranger.x_portal_user set password="ceb4f32325eda6142bd65215f4c0f371" where login_id="admin";