Hi Selva, Thanks for starting this proposal in Polaris!
I've read through the doc (but not the PR yet) and left some minor comments there. Overall, it looks great! I have two main questions, which I'd like to discuss before diving into the PR: 1) Is the "audit" part specific to Ranger? Could it be extended to other Authorizers in Polaris (e.g. OPA)? I'd like to propose making it optional (opt in/out controlled by the Polaris Server admin). WDYT? 2) How do you envision configuring connection credentials in the Ranger Authorizer (to connect to Ranger services)? Side note: IIRC, the OPA Authorizer uses file-based access tokens in Polaris. If you did not have any other proposal, we could probably extend this pattern to the Ranger Authorizer too. We can certainly discuss enhancing this system later (e.g. via the Secrets Manager [1]) [1] https://lists.apache.org/thread/68r3gcx70f0qhbtz3w4zhb8f9s4vvw1f Thanks, Dmitri. On Wed, Mar 4, 2026 at 2:27 AM Selvamohan Neethiraj <[email protected]> wrote: > Hi Polaris Community, > > I’m seeking feedback on an RFC to introduce an Apache Ranger-based > authorization plugin for Apache Polaris. > While Polaris's internal authorization works well for core needs, many > enterprises adopting the platform already rely on Ranger as their de-facto > framework for centralized policy administration and governance. > > The motivation for this integration is simple: it allows organizations to > manage Polaris security within their existing ecosystem alongside Hive, > Spark, and Trino, effectively solving several pain points: > Policy Duplication: Eliminates the need to recreate identical policies > across different systems. > Audit Alignment: Provides centralized auditing and enterprise-grade > governance through the Ranger ecosystem. > RBAC Limitations: Addresses "role explosion" by leveraging Ranger’s > support for attribute-based access control (ABAC) and fine-grained > resource-based policies. > > How it works: > The proposed RangerPolarisAuthorizer implements the PolarisAuthorizer SPI. > When Polaris receives an authorization request, it delegates the decision > to the Ranger plugin, which evaluates policies, tags, and roles defined in > Apache Ranger. > To ensure performance, the plugin caches and periodically refreshes > policies from the Ranger Admin. > > Safe to Trial: > This is strictly an opt-in feature. The existing internal authorization > model remains the default, and backward compatibility is maintained. > Users can enable the plugin via configuration (e.g., > polaris.authorization.type=ranger). > > The RFC is available for review here: RFC: Apache Ranger Authorizer > Plugin for Apache Polaris < > https://docs.google.com/document/d/10UIpPMeWVU3VA0goGz_y8OAbXhIDigah/edit?usp=sharing&ouid=103452742845206345322&rtpof=true&sd=true > > > > The corresponding Issue/PR can be found here: > https://github.com/apache/polaris/pull/3928 > > I look forward to your thoughts and feedback! > > Best regards, > Selva- > ===================== > Selvamohan Neethiraj, > Apache Ranger PMC Chair > ===================== > > >
