Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Create a static/global instance of RangerBasePlugIn class (or a class derived from this). Keep a reference to this instance for later – to authorize resource access.

  2. Call init() on this instance. This will initialize the policy-engine with the authorization policies from local cache Ranger Admin and trigger a background thread to periodically update policies from the Ranger Admin.

  3. Register an audit handler, like RangerDefaultAuditHandler, with the plugin instance. Plugin will use this audit handler to generate audit logs of resource accesses.


  1. Extend class RangerBaseService and provide implementation of lookupResource() and validateConfig() methods.

  2. Provide the name of this class in service-type definition.

  3. Make Copy the library (jar file) that includes the class implementation available , and other libraries referenced by this class, under ranger-plugins/<service-type> directory in CLASSPATH of Ranger Admin.

Install the plug-in in the service:

The ranger-plugin for the service must be installed and configured to run in the service where the access authorization is to be performed. Please consult the documentation of the service for details of registering an authorizationauthorizer.

Service Type

Service Type Definition

Resources of a service, along with other details like type of resource accesses (read/write/create/delete/submit/…), configuration needed to connect to the service (url, username, password, …) , custom conditions to evaluate in policies (IP range, …), etc., are defined using JSON – as shown in the following example. For more up-to-date service-type JSON, please refer to one of the service-types in Apache Ranger source (here).

 Example: YARN Service Type definition