Hi Polaris Community, I’m seeking feedback on an RFC to introduce an Apache Ranger-based authorization plugin for Apache Polaris. While Polaris's internal authorization works well for core needs, many enterprises adopting the platform already rely on Ranger as their de-facto framework for centralized policy administration and governance.
The motivation for this integration is simple: it allows organizations to manage Polaris security within their existing ecosystem alongside Hive, Spark, and Trino, effectively solving several pain points: Policy Duplication: Eliminates the need to recreate identical policies across different systems. Audit Alignment: Provides centralized auditing and enterprise-grade governance through the Ranger ecosystem. RBAC Limitations: Addresses "role explosion" by leveraging Ranger’s support for attribute-based access control (ABAC) and fine-grained resource-based policies. How it works: The proposed RangerPolarisAuthorizer implements the PolarisAuthorizer SPI. When Polaris receives an authorization request, it delegates the decision to the Ranger plugin, which evaluates policies, tags, and roles defined in Apache Ranger. To ensure performance, the plugin caches and periodically refreshes policies from the Ranger Admin. Safe to Trial: This is strictly an opt-in feature. The existing internal authorization model remains the default, and backward compatibility is maintained. Users can enable the plugin via configuration (e.g., polaris.authorization.type=ranger). The RFC is available for review here: RFC: Apache Ranger Authorizer Plugin for Apache Polaris <https://docs.google.com/document/d/10UIpPMeWVU3VA0goGz_y8OAbXhIDigah/edit?usp=sharing&ouid=103452742845206345322&rtpof=true&sd=true> The corresponding Issue/PR can be found here: https://github.com/apache/polaris/pull/3928 I look forward to your thoughts and feedback! Best regards, Selva- ===================== Selvamohan Neethiraj, Apache Ranger PMC Chair =====================
