How to choose between apache ranger and sentry

Asked 5/9, 2016 at 8:22 Answered 21/5, 2019 at 22:27

security hadoop apache-sentry apache-ranger

From the wiki provided by those 2 projects, I found it seems they did the similar job. But there must be some difference or it's no need for 2.

So what are the differences, and what is the practical advice to choose from one another.

thx a lot!

Booted answered 5/9, 2016 at 8:22 Comment(1)

open source software doesn't protect against vendor lock-in. They nearly 100% overlap and is just part of the hortonworks vs cloudera vendor wars. – Iolenta 8/3, 2017 at 21:47

Great answers above.

Just quick update with Cloudera+Hortonworks merge last year. These companies have decided to standardize on Ranger. CDH5 and CDH6 will still use Sentry until CDH product line retires in ~2-3 years. Ranger will be used for Cloudera+Hortonworks' combined "Unity" platform / CDP product.

Cloudera were saying to us that Ranger is a more "mature" product. Since Unity hasn't released yet (as of May 2019), something may come up in the future, but that's the current direction. (Oct 2019 update: Unity is now known as CDP and is available for beta testing; will be available for cloud deployments soon, and in 2020 for on-prem customers)

If you're a former Cloudera customer / or CDH user, you would still have to use Apache Sentry. There is a significant overlap between Sentry and Ranger, but if you start fresh, definitely look at Ranger.

Taritariff answered 21/5, 2019 at 22:27 Comment(0)

You can use Sentry or Ranger depends upon what hadoop distribution tool that you are using like Cloudera or Hortonworks.

Apache Sentry - Owned by Cloudera. Supports HDFS, Hive, Solr and Impala. (Ranger will not support Impala)
Apache Ranger - Owned by Hortonworks. Apache Ranger offers a centralized security framework to manage fine-grained access control across: HDFS, Hive, HBase, Storm, Knox, Solr, Kafka, and YARN

https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Tutorial http://hortonworks.com/apache/ranger/

Thx Kumar

Aleppo answered 18/11, 2016 at 16:35 Comment(0)

Apache Ranger overlaps with Apache Sentry since it also deals with authorization and permissions. It adds an authorization layer to Hive, HBase, and Knox. Both Sentry and Ranger support column-level permissions in Hive (startig from 1.5 release).

Ref: https://www.xplenty.com/blog/2014/11/5-hadoop-security-projects/

you can also check RecordService. RecordService provides an abstraction layer between compute frameworks and data storage. It provides row- and column-level security, and other advantages.

Ref: http://blog.cloudera.com/blog/2015/09/recordservice-for-fine-grained-security-enforcement-across-the-hadoop-ecosystem/

http://recordservice.io/

Footy answered 10/11, 2016 at 11:0 Comment(1)

Thanks Deepak, note that Sentry also support column-level permission since 1.5: blogs.apache.org/sentry/entry/sentry_1_5_0_release. – Booted 11/11, 2016 at 10:16

Both manage permissions based on role-table grants. Ranger provides dynamic data masking (in transit). Both integrated with Informatica's Secure at Source (Identify risky data stores in the Enterprise) to deliver Data Governance solution.

Onesided answered 10/5, 2018 at 4:13 Comment(0)

Recommended topics

Hot tags