Ranger Configuration
What is Apache Ranger?
Apache Ranger is a centralized security framework for data platforms.
Instead of each service managing its own access rules, Ranger provides a single point where you define who can do what on which resource — and all integrated services consult those policies in real time.
In TDP Kubernetes, Ranger secures three services:
| Service | What Ranger controls |
|---|---|
| Apache Kafka | Which users can produce or consume on which topics |
| Apache NiFi | Access to NiFi components and flows |
| Trino | Access to catalogs, schemas, and tables in SQL queries |
See Apache Ranger — Concepts for a complete overview of the tool, its plugin model and how it works.
How Ranger works in practice
The Ranger model is based on plugins: each integrated service installs a plugin that intercepts access requests and validates them against the policies defined in Ranger Admin. This process is transparent to the end user — they simply receive an access granted or denied response.
Ranger also records all access decisions in audit logs, stored in Apache Solr (included as a subchart of tdp-ranger).
This allows you to track who accessed what and when — essential for compliance and incident investigation.
The integration process
The tdp-ranger chart uses a configJob — a Kubernetes Job that waits for Ranger to become available and then registers the plugins and default policies.
This job is controlled by rangerIntegrations.configJob.enabled and runs automatically after installation.
Overview
| Property | Value |
|---|---|
| Chart | tdp-ranger |
| Ranger Version | 2.7.0 |
| Chart Version | 3.0.0 |
| Registry (OCI) | oci://registry.tecnisys.com.br/tdp/charts/tdp-ranger |
Installation (OCI)
helm install <release> oci://registry.tecnisys.com.br/tdp/charts/tdp-ranger -n <namespace> --create-namespace
Main parameters
| Parameter | Description | Default value |
|---|---|---|
tdp-ranger.enabled | Enable the Ranger deploy | true |
tdp-ranger.clusterLabel | Cluster label | tdp |
tdp-ranger.ranger.adminUser | Ranger admin user | admin |
tdp-ranger.ranger.adminPassword | Ranger admin password | not set |
tdp-ranger.ranger.dbUser | Database user | ranger |
tdp-ranger.ranger.dbPassword | Database password | "" |
tdp-ranger.ranger.existingSecret | Existing Secret for DB credentials | <release>-ranger-database |
tdp-ranger.ranger.existingSecretPasswordKey | Password key in the Secret | password |
tdp-ranger.ranger.database.host | Database host | <postgresql-service>.<namespace>.svc.cluster.local |
tdp-ranger.ranger.database.port | Database port | 5432 |
TDPConfigurations.externalDatabase.enabled | Enable external DB bootstrap Job (db-create-job) | false |
TDPConfigurations.externalDatabase.recreate | Recreate DB on install/upgrade | true |
TDPConfigurations.externalDatabase.externalSecret.releaseName | PostgreSQL release name | tdp-postgresql |
TDPConfigurations.externalDatabase.externalSecret.area | Area suffix (Secret name construction) | project |
rangerIntegrations.configJob.enabled | Enable integrations job | true |
rangerIntegrations.configJob.image | Job image | python:3.11-slim |
rangerIntegrations.configJob.rangerReadyTimeout | Readiness timeout (s) | 600 |
rangerIntegrations.configJob.retryInterval | Retry interval (s) | 10 |
rangerIntegrations.kafka.enabled | Kafka integration | false |
rangerIntegrations.nifi.enabled | NiFi integration | false |
rangerIntegrations.trino.enabled | Trino integration | false |
tdp-ranger.solr.persistence.enabled | Solr persistence | true |
tdp-ranger.solr.persistence.size | Solr PVC size | 1Gi |
tdp-ranger.solr.persistence.storageClassName | Solr StorageClass | "" |
Full list: helm show values on the installed version.
External database
A Job (db-create-job) creates the Ranger database/user and writes credentials to a Secret. The Job is only created when:
tdp-ranger.postgres.enabled=false, andTDPConfigurations.externalDatabase.enabled=true
The PostgreSQL admin password used by the Job comes from an existing Secret whose name is <releaseName>-<area> and whose expected key is postgres-password.
To explicitly disable the Job:
helm upgrade --install <release> oci://registry.tecnisys.com.br/tdp/charts/tdp-ranger \
-n <namespace> \
--set TDPConfigurations.externalDatabase.enabled=false
Integrations (Kafka, NiFi, Trino)
Configuration under rangerIntegrations. The same schema may appear under rangerIntegrations.*, tdp-ranger.rangerIntegrations.*, and global.rangerIntegrations.* (subcharts / global).
Each integration supports, among others: serviceName, serviceDisplayName, connection.*, credentials.*, defaultPolicies (list of policy objects).
Example enabling Kafka:
helm upgrade --install <release> oci://registry.tecnisys.com.br/tdp/charts/tdp-ranger \
-n <namespace> \
--set rangerIntegrations.kafka.enabled=true \
--set rangerIntegrations.kafka.connection.bootstrapServers=<kafka-bootstrap-servers> \
--set rangerIntegrations.kafka.connection.zookeeperConnect=<zookeeper-connect>
More YAML examples at: Integrations — Ranger.
Access
Depends on the upstream subchart; services are typically listed using the release instance:
kubectl -n <namespace> get svc -l app.kubernetes.io/instance=<release>
Troubleshooting
kubectl -n <namespace> get pods
kubectl -n <namespace> get jobs
kubectl -n <namespace> get events --sort-by=.lastTimestamp
kubectl -n <namespace> logs job/<job-name>
Uninstallation
helm uninstall <release> -n <namespace>