Apache Ranger Python client
Project description
Apache Ranger Python Client
apache-ranger is the official Python client package for Apache Ranger.
It provides typed helpers for Ranger Admin, user/group management, KMS,
Governed Data Sharing (GDS), and Policy Decision Point (PDP) APIs.
Requirements
- Python 3.13 or later
- Apache Ranger Admin, KMS, or PDP service reachable from your Python process
Installation
Install the client from PyPI:
pip install apache-ranger
For Kerberos/SPNEGO authentication, install the optional Kerberos dependency:
pip install requests-kerberos
Verify the installed package:
python -m pip show apache-ranger
Supported Clients
RangerClient: Ranger Admin APIs for service definitions, services, policies, roles, security zones, plugin information, and policy delta maintenance.RangerUserMgmtClient: user, group, and user-group management APIs.RangerKMSClient: Ranger KMS key management APIs.RangerGdsClient: Governed Data Sharing APIs for datasets, projects, datashares, shared resources, and GDS policies.RangerPDPClient: PDP authorization APIs for single authorization, batch authorization, and effective resource permissions.
Quick Start
Ranger Admin
from apache_ranger.client.ranger_client import RangerClient
ranger = RangerClient("http://localhost:6080", ("admin", "rangerR0cks!"))
services = ranger.find_services()
print(f"{len(services.list)} services found")
User And Group Management
from apache_ranger.client.ranger_client import RangerClient
from apache_ranger.client.ranger_user_mgmt_client import RangerUserMgmtClient
ranger = RangerClient("http://localhost:6080", ("admin", "rangerR0cks!"))
user_mgmt = RangerUserMgmtClient(ranger)
users = user_mgmt.find_users()
groups = user_mgmt.find_groups()
print(f"{len(users.list)} users found")
print(f"{len(groups.list)} groups found")
Ranger KMS
from apache_ranger.client.ranger_client import HadoopSimpleAuth
from apache_ranger.client.ranger_kms_client import RangerKMSClient
kms = RangerKMSClient("http://localhost:9292", HadoopSimpleAuth("keyadmin"))
print(kms.kms_status())
Governed Data Sharing
from apache_ranger.client.ranger_client import RangerClient
from apache_ranger.client.ranger_gds_client import RangerGdsClient
ranger = RangerClient("http://localhost:6080", ("admin", "rangerR0cks!"))
gds = RangerGdsClient(ranger)
datasets = gds.find_datasets()
print(f"{len(datasets.list)} datasets found")
Policy Decision Point
from apache_ranger.client.ranger_pdp_client import RangerPDPClient
from apache_ranger.model.ranger_authz import (
RangerAccessContext,
RangerAccessInfo,
RangerAuthzRequest,
RangerResourceInfo,
RangerUserInfo,
)
pdp = RangerPDPClient(
"http://localhost:6500",
auth=None,
headers={"X-Forwarded-User": "hive"},
)
request = RangerAuthzRequest({
"requestId": "req-1",
"user": RangerUserInfo({"name": "alice"}),
"access": RangerAccessInfo({
"resource": RangerResourceInfo({"name": "table:default/test_tbl1"}),
"permissions": ["select"],
}),
"context": RangerAccessContext({
"serviceType": "hive",
"serviceName": "dev_hive",
}),
})
result = pdp.authorize(request)
print(result.decision)
Authentication
Use the authentication mechanism configured for the Ranger service you are calling:
- Basic auth: pass a
(username, password)tuple toRangerClient. - Kerberos/SPNEGO: pass
requests_kerberos.HTTPKerberosAuth()after installingrequests-kerberos. - KMS Hadoop simple auth: use
HadoopSimpleAuth("user")when simple auth is enabled for Ranger KMS. - Custom headers or query parameters: pass
headersorquery_paramsto the client constructor when the deployment requires them. - PDP trusted-header or JWT auth: pass the configured trusted caller header or
Authorization: Bearer <token>header toRangerPDPClient.
Example Kerberos setup:
from requests_kerberos import HTTPKerberosAuth
from apache_ranger.client.ranger_client import RangerClient
ranger = RangerClient("https://ranger.example.com:6182", HTTPKerberosAuth())
PDP Request Notes
RangerPDPClient sends requests to the PDP REST APIs exposed under
/authz/v1.
authorize(request)callsPOST /authz/v1/authorize.authorize_multi(request)callsPOST /authz/v1/authorizeMulti.get_resource_permissions(request)callsPOST /authz/v1/permissions.
PDP authorization requests should include:
context.serviceType, for examplehive,hdfs, orkafka.context.serviceName, the Ranger service name.user.nameforauthorizeandauthorize_multicalls.
If the authenticated caller is different from request.user.name, the caller
must be allowed to delegate for that service. Without delegation permission, PDP
returns 403 FORBIDDEN.
Examples and Code References
The quick starts above cover the basics. For day-to-day API usage — creating services and policies, managing users, calling KMS or PDP, or working with GDS — use the runnable samples and client sources below.
Running sample scripts
After pip install apache-ranger, run a sample directly:
python ranger-examples/sample-client/src/main/python/sample_client.py
When working from a Ranger source checkout without installing the package, set
PYTHONPATH to the client sources first:
# from the repository root
PYTHONPATH=intg/src/main/python \
python ranger-examples/sample-client/src/main/python/sample_client.py
Edit the ranger_url, ranger_auth, and other connection settings at the top
of each sample before running it against your environment.
Runnable examples by task
| Task | Sample script | What it demonstrates |
|---|---|---|
| Ranger Admin — services, policies, roles, tags CRUD | sample_client.py |
service-def and service, access/data-masking/row-filter policies, roles, service tags |
| User and group management | user_mgmt.py |
List/create/delete users and groups, group-user mappings |
| Ranger KMS | sample_kms_client.py |
Key lifecycle, encrypt/decrypt/reencrypt, metadata and status |
| PDP AuthZ | sample_pdp_client.py |
Authz/MultiAuthz calls to PDP Server |
| Governed Data Sharing (GDS) | sample_gds_client.py |
Projects, datasets, datashares, shared resources, GDS policies |
| Security zones (v2) | security_zone_v2.py |
Create/update security zones and zone resources |
All samples live under
ranger-examples/sample-client/src/main/python.
Client API source code
Each public client is implemented under
intg/src/main/python/apache_ranger/client/:
| Client | Source file | REST base path |
|---|---|---|
RangerClient |
ranger_client.py |
service/public/v2/api |
RangerUserMgmtClient |
ranger_user_mgmt_client.py |
user/group APIs on Ranger Admin |
RangerKMSClient |
ranger_kms_client.py |
KMS REST APIs |
RangerGdsClient |
ranger_gds_client.py |
GDS APIs on Ranger Admin |
RangerPDPClient |
ranger_pdp_client.py |
/authz/v1 |
Request and response models are under
intg/src/main/python/apache_ranger/model/.
Unit tests
intg/src/test/python/test_ranger_client.py
contains mocked examples for Admin, GDS, and PDP client wiring. Run from
intg/:
PYTHONPATH=src/main/python python -B src/test/python/test_ranger_client.py
Troubleshooting
ModuleNotFoundError: requests_kerberos: installrequests-kerberos.401 Unauthorized: verify the credentials, Kerberos ticket, or auth headers used by the target Ranger service.403 Forbidden: verify Ranger permissions and PDP delegation configuration when authorizing on behalf of another user.- SSL certificate errors: configure a valid trust store for production. For
local testing only,
ranger.session.verify = Falsecan disable certificate verification. - Connection timeouts: verify the Ranger Admin, KMS, or PDP URL and confirm the service is reachable from the client host.
Release 0.0.13 Highlights
- Python 3.13+ support.
- New GDS client coverage for datasets, projects, datashares, shared resources, and GDS policy APIs.
- New PDP client coverage for Ranger authorization APIs.
- New authorization request and response models.
- User/group management, KMS, Ranger Admin, and model updates.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file apache_ranger-0.0.13.tar.gz.
File metadata
- Download URL: apache_ranger-0.0.13.tar.gz
- Upload date:
- Size: 31.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f2eb49a423ac6855cb0e230ca5ef18a906ea1302d69cb3971a923a2792a2970c
|
|
| MD5 |
c142e28a00064223adc3db53c6bb6549
|
|
| BLAKE2b-256 |
6736aff7f325e6019e3611a0b4c2d6fba6dff7e0ad51f627d4e160956faa637a
|
File details
Details for the file apache_ranger-0.0.13-py3-none-any.whl.
File metadata
- Download URL: apache_ranger-0.0.13-py3-none-any.whl
- Upload date:
- Size: 47.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ad4ace2e9dd19d3dbcc30627612d444af30f35648ca2d8e91c11718c9b5d68e5
|
|
| MD5 |
8c54a83b1e8789aa8fdb27c9ac7b072d
|
|
| BLAKE2b-256 |
23134827730627bd1593dfa2ff3d74d1fafe2220376f25a4a0f2b9f712b4ca7a
|