Ranger Configuration
What is Apache Ranger in TDP?
Apache Ranger is a centralized security framework for data platforms.
Instead of each service managing its own access rules, Ranger provides a single place to define who can do what on which resource.
Integrated services query those policies to allow or deny actions at runtime.
In TDP Kubernetes, Ranger acts as the central point for managing access policies for services that have an enabled integration.
Each integration uses the authorization mechanism compatible with the respective service to query Ranger Admin and enforce access decisions according to the configured policies.
See Apache Ranger - Concepts for a complete overview of the tool, its plugin model, and how it works.
Helm value structure
The tdp-ranger chart uses three main value blocks:
tdp-ranger:— Ranger Admin configuration: resources, credentials, database, Solr, OpenShift.rangerIntegrations:— automation for registering services in Ranger Admin and declarative policies.TDP-Settings:— TDP helpers for external database and HTTP/HTTPS exposure.
tdp-ranger:
ranger:
adminUser: admin
database:
host: "<POSTGRESQL_SERVICE>.<NAMESPACE>.svc.cluster.local"
port: 5432
Architecture and components
| Component | Role |
|---|---|
| Ranger Admin | Central UI and API for services, policies, and auditing |
| PostgreSQL | Stores Ranger metadata, such as policies, users, and configuration |
| Solr | Stores audit logs when enabled by the subchart |
| Plugins and integrations | Allow configured services to query Ranger for authorization |
| Integrations Job | Automates registration in Ranger Admin for services enabled in rangerIntegrations and for policies declared in defaultPolicies, when configured |
Ranger Admin is the central administration point.
Integrated services continue running their workloads normally, but query policies registered in Ranger to decide whether an action should be allowed.
Overview
| Property | Value |
|---|---|
| Chart | tdp-ranger |
| Ranger Version | 2.7.0 |
| Chart Version | 3.0.1 |
| Chart AppVersion | 2.7.0 |
| Registry | oci://registry.tecnisys.com.br/tdp/charts/tdp-ranger |
Related pages
- Security - Ranger: credentials, LDAP/AD, UserSync, LDAPS, and best practices.
- Integrations - Ranger: Ranger Admin registration automation, integration examples, and policies declared in
defaultPolicies. - External exposure - Ranger: Ranger Admin exposure through Ingress or Gateway API.
Prerequisites
Before installing or customizing the tdp-ranger chart, confirm:
- Kubernetes 1.32+, Red Hat OpenShift 4.19+, or Rancher Manager 2.10.x+.
- Helm 3.2.0+.
- A StorageClass available for persistent volumes.
- Tecnisys OCI registry reachable from the installation environment.
- A strong password defined for the Ranger administrator user.
- A previous decision about internal or external PostgreSQL for metadata.
- When using integrations: target services deployed, reachable over the network, and configured to use the compatible authorization mechanism.
- Installation
- Main parameters
- Configuration details
- Access & Security
- Troubleshooting
- Uninstallation
Installation
helm install <RELEASE_NAME> oci://registry.tecnisys.com.br/tdp/charts/tdp-ranger -n <NAMESPACE> --create-namespace --timeout 10m
Adjust credentials, database, Solr persistence, network exposure, and integrations through your values file.
On OpenShift, enable tdp-ranger.openshift.enabled=true to create the RoleBinding that binds the Ranger ServiceAccount to the anyuid SCC.
This is required because the Ranger container runs scripts that need elevated permissions.
helm install <RELEASE_NAME> oci://registry.tecnisys.com.br/tdp/charts/tdp-ranger -n <NAMESPACE> --create-namespace --timeout 10m --set tdp-ranger.openshift.enabled=true
Validate the RoleBinding in the namespace:
oc get rolebinding -n <NAMESPACE> | grep anyuid
oc describe rolebinding <RELEASE_NAME>-openshift-anyuid-scc -n <NAMESPACE>
Main parameters
| Parameter | Description | Default |
|---|---|---|
tdp-ranger.enabled | Enable Ranger deployment | true |
tdp-ranger.clusterLabel | Cluster label | tdp |
tdp-ranger.ranger.adminUser | Ranger admin user | admin |
tdp-ranger.ranger.adminPassword | Ranger admin password | ChangeMe!2026 (example — change before production) |
tdp-ranger.ranger.dbUser | Database user | ranger |
tdp-ranger.ranger.dbPassword | Database password | ChangeMe!2026 (example — change before production) |
tdp-ranger.ranger.existingSecret | Existing Secret for DB credentials | <RELEASE_NAME>-ranger-database |
tdp-ranger.ranger.existingSecretPasswordKey | Password key in the Secret | password |
tdp-ranger.ranger.database.host | Database host | <POSTGRESQL_SERVICE>.<NAMESPACE>.svc.cluster.local |
tdp-ranger.ranger.database.port | Database port | 5432 |
TDP-Settings.externalDatabase.enabled | Enable external DB bootstrap job | false |
TDP-Settings.externalDatabase.recreate | Recreate DB on install/upgrade | true |
TDP-Settings.externalDatabase.externalSecret.releaseName | PostgreSQL release name | tdp-postgresql |
rangerIntegrations.configJob.enabled | Enable integrations job | false |
rangerIntegrations.configJob.image | Job image | registry.tecnisys.com.br/community/images/python:3.11-slim |
rangerIntegrations.configJob.rangerReadyTimeout | Readiness timeout in seconds | 600 |
rangerIntegrations.configJob.retryInterval | Retry interval in seconds | 10 |
rangerIntegrations.kafka.enabled | Kafka integration | false |
rangerIntegrations.nifi.enabled | NiFi integration | false |
rangerIntegrations.trino.enabled | Trino integration | false |
tdp-ranger.solr.persistence.enabled | Solr persistence | true |
tdp-ranger.solr.persistence.size | Solr PVC size | 1Gi |
tdp-ranger.solr.persistence.storageClassName | Solr StorageClass | "" |
tdp-ranger.openshift.enabled | Creates RoleBinding for the anyuid SCC on OpenShift | false |
TDP-Settings.gateway.ingress.enabled | Enable Ingress for Ranger Admin | false |
TDP-Settings.gateway.gatewayApi.enabled | Enable HTTPRoute through Gateway API | false |
The Ranger Admin password must have at least 8 characters, with uppercase letters, lowercase letters, a number, and a special character.
For the complete parameter list, inspect the values of the installed chart version.
Database and auditing
Ranger uses PostgreSQL to store policies, users, and configuration.
The database can be provided by the release itself or by an existing external instance.
When using an external database, the bootstrap job creates the Ranger database and user and stores credentials in the Secret expected by the deployment.
This job is created only when the bundled PostgreSQL is disabled and TDP-Settings.externalDatabase.enabled=true.
The PostgreSQL administrator Secret name is defined by TDP-Settings.externalDatabase.externalSecret.releaseName (default: tdp-postgresql) and the expected key is postgres-password.
Permission errors, incorrect hostnames, or missing Secrets appear as bootstrap job failures.
Solr is used for auditing.
Keep persistence enabled and adjust tdp-ranger.solr.persistence.size and tdp-ranger.solr.persistence.storageClassName according to retention, event volume, and cluster operations policy.
Integrations
When integrations automation is enabled, the chart runs a configuration job after installation or upgrade.
This job acts on the Ranger Admin side: it waits for Ranger to become accessible, registers the services enabled in rangerIntegrations, and creates the policies declared in defaultPolicies, when configured.
It does not, by itself, configure the integrated service to query Ranger at runtime.
The integrated component must be configured according to that component's own documentation.
See Integrations - Ranger for examples.
Security
Replace example credentials, keep passwords in Secrets, and limit administrator permissions.
When using LDAP/AD, configure bind DN, user/group filters, UserSync, roles, and LDAPS according to the corporate directory.
See Security - Ranger for LDAP/AD, UserSync, LDAPS, credential, and best-practice details.
Access
List Services created by the release:
kubectl -n <NAMESPACE> get svc -l app.kubernetes.io/instance=<RELEASE_NAME>
Ranger Admin usually responds on the <RELEASE_NAME>-ranger Service at port 6080.
For local debugging:
kubectl -n <NAMESPACE> port-forward svc/<RELEASE_NAME>-ranger 6080:6080
Local access: http://localhost:6080.
External exposure
Ingress and Gateway API are mutually exclusive, controlled by TDP-Settings.gateway.*. Ranger Admin is exposed on port 6080.
For the complete values examples (Ingress and Gateway API), see External exposure.
Troubleshooting
kubectl -n <NAMESPACE> get pods
kubectl -n <NAMESPACE> get jobs
kubectl -n <NAMESPACE> get events --sort-by=.lastTimestamp
First verify that Ranger Admin is healthy and that the database responds.
Then validate bootstrap jobs, integration jobs, Solr PVC, Services, and namespace events.
Uninstallation
helm uninstall <RELEASE_NAME> -n <NAMESPACE>