Why it matters
Compliance is the single biggest driver of Ranger adoption. GDPR, HIPAA, PCI-DSS, and every internal security policy demand that access be centrally controlled and auditable. Ranger produces the audit trail these frameworks require, in one queryable location, with one consistent format across every Hadoop service.
Ranger also lets security teams own security policy without needing to be Hadoop experts. Policies are written in a web UI by security engineers; the Hadoop admins do not touch them. This separation of duties is itself a compliance requirement in many organizations.
The architecture
Ranger has three main components. Ranger Admin is a web service that hosts the policy database, the authoring UI, and the audit browser. Ranger plugins are libraries embedded into each Hadoop service (HDFS NameNode, HiveServer2, HBase Master, etc.) that fetch policies from Admin and enforce them locally on every RPC. Solr or HDFS serves as the audit sink where every access decision is logged.
Policies are written in a resource-based model: specify the resource (path, database, table, topic), the users or groups, the allowed accesses, and optional conditions like time of day or IP address. Policies can also be tag-based, pulling classifications from Atlas so that any resource tagged 'PII' gets special handling.
How it works end to end
Ranger Admin runs as a Java web application backed by a database (MySQL or Postgres). Security engineers author policies through the UI. Each Ranger plugin embedded in a Hadoop service periodically polls Admin (default every 30 seconds) to sync the latest policies.
When a client makes a request to a Hadoop service, the plugin intercepts the request before the service's own authorization runs. The plugin evaluates Ranger policies against the request: matching resource, matching identity, matching accesses. The plugin returns allow or deny. If Ranger denies, the request is rejected immediately.
Every evaluation, allow or deny, is logged asynchronously to the audit sink. The audit record includes the resource, the identity, the operation, the decision, and the policy that led to the decision. Solr indexes these records so operators can search them; HDFS storage keeps a longer archive for compliance retention.