Thanks for the proposal, this looks like a great feature for Polaris. I left a few comments on the PR and look forward to the discussion.
Yufei On Tue, Mar 10, 2026 at 4:45 PM Dmitri Bourlatchkov <[email protected]> wrote: > Hi Selva, > > Thanks for starting this proposal in Polaris! > > I've read through the doc (but not the PR yet) and left some minor comments > there. Overall, it looks great! > > I have two main questions, which I'd like to discuss before diving into the > PR: > > 1) Is the "audit" part specific to Ranger? Could it be extended to other > Authorizers in Polaris (e.g. OPA)? > > I'd like to propose making it optional (opt in/out controlled by > the Polaris Server admin). WDYT? > > 2) How do you envision configuring connection credentials in the Ranger > Authorizer (to connect to Ranger services)? > > Side note: IIRC, the OPA Authorizer uses file-based access tokens in > Polaris. If you did not have any other proposal, we could probably extend > this pattern to the Ranger Authorizer too. We can certainly discuss > enhancing this system later (e.g. via the Secrets Manager [1]) > > [1] https://lists.apache.org/thread/68r3gcx70f0qhbtz3w4zhb8f9s4vvw1f > > Thanks, > Dmitri. > > On Wed, Mar 4, 2026 at 2:27 AM Selvamohan Neethiraj <[email protected]> > wrote: > > > Hi Polaris Community, > > > > I’m seeking feedback on an RFC to introduce an Apache Ranger-based > > authorization plugin for Apache Polaris. > > While Polaris's internal authorization works well for core needs, many > > enterprises adopting the platform already rely on Ranger as their > de-facto > > framework for centralized policy administration and governance. > > > > The motivation for this integration is simple: it allows organizations to > > manage Polaris security within their existing ecosystem alongside Hive, > > Spark, and Trino, effectively solving several pain points: > > Policy Duplication: Eliminates the need to recreate identical policies > > across different systems. > > Audit Alignment: Provides centralized auditing and enterprise-grade > > governance through the Ranger ecosystem. > > RBAC Limitations: Addresses "role explosion" by leveraging Ranger’s > > support for attribute-based access control (ABAC) and fine-grained > > resource-based policies. > > > > How it works: > > The proposed RangerPolarisAuthorizer implements the PolarisAuthorizer > SPI. > > When Polaris receives an authorization request, it delegates the decision > > to the Ranger plugin, which evaluates policies, tags, and roles defined > in > > Apache Ranger. > > To ensure performance, the plugin caches and periodically refreshes > > policies from the Ranger Admin. > > > > Safe to Trial: > > This is strictly an opt-in feature. The existing internal authorization > > model remains the default, and backward compatibility is maintained. > > Users can enable the plugin via configuration (e.g., > > polaris.authorization.type=ranger). > > > > The RFC is available for review here: RFC: Apache Ranger Authorizer > > Plugin for Apache Polaris < > > > https://docs.google.com/document/d/10UIpPMeWVU3VA0goGz_y8OAbXhIDigah/edit?usp=sharing&ouid=103452742845206345322&rtpof=true&sd=true > > > > > > > The corresponding Issue/PR can be found here: > > https://github.com/apache/polaris/pull/3928 > > > > I look forward to your thoughts and feedback! > > > > Best regards, > > Selva- > > ===================== > > Selvamohan Neethiraj, > > Apache Ranger PMC Chair > > ===================== > > > > > > >
