Glossary

Access-control list — a list of permissions associated with a system resource.

Active Directory — a directory service for Windows Server family operating systems. It was initially created as an LDAP-compatible implementation of a directory service. However, starting with Windows Server 2008, it includes integration capabilities with other authorization services, performing an integrating and unifying role for them.

Application programming interface — a set of ready-made classes, procedures, functions, structures, and constants provided by an application (library, service) or operating system for use in external software products.

The logging and monitoring component of Apache Ranger. It automatically captures and stores detailed information about every access request made to the data resources that Ranger protects.

A process of checking that a user is who they claim to be, for example, providing a password that matches a previously provided username. Often comes before authorization.

A process of checking whether a user has the permissions required to perform some operation.

Command-line interface — a kind of text user interface (TUI) where users give instructions to a computer by typing text strings (commands) from the keyboard. Other names are console and terminal.

A group of servers and coordinating software that are united logically and capable of processing the same requests and acting as a single resource.

Domain Name System — a distributed and hierarchical system used to identify computers, domains, services, and other resources accessible through the Internet or other network protocols. It is most often used to get an IP address by a host name (computer or device), obtain information about mail routing and/or service nodes for protocols in a domain.

An application designed to respond to DNS queries using the appropriate protocol. This term can also be used to refer to a host where the corresponding application is running.

A software package designed to monitor and filter network traffic.

A free and open-source identity management system for Linux/UNIX networked environments. It is based on Fedora Linux, 389 Directory Server, MIT Kerberos, NTP, DNS, the DogTag certificate system, SSSD, and other free/open-source components. FreeIPA is designed with an intent to provide the same services as Active Directory.

Fully Qualified Domain Name — a domain name that has no ambiguities in its definition. Includes the names of all the parent domains in the DNS hierarchy.

A network device designed to transfer the user traffic between two networks that have different characteristics, use different protocols or technologies. One of the most common ways to use Gateway is the provision of access from a local area network (LAN) to an external one (Internet).

A special mathematical algorithm that takes an input of any size and returns a fixed-size string of characters, which is typically a sequence of numbers and letters. Its output is also called hash.

A technology that allows service components to use a backup host in case the primary host is not available.

A computer or another device connected to a network. A host can work as a server providing information about resources, services, and applications to users or other hosts. Each host on a network is assigned at least one network address.

A single copy of any software running on a single physical or virtual server. In object-oriented programming, this term is also used to refer to a class object.

Internet Protocol Address — a unique network address of a node in a computer network built on the IP protocol stack.

Java KeyStore — a password-protected file format used by Java applications to store cryptographic keys and certificates.

Java Cryptography Extension KeyStore — a password-protected file format used in the Java ecosystem to securely store cryptographic keys and certificates. More secure than JKS and allows storing symmetric secret keys.

An authentication server whose main function is to receive a request containing the name of a client requesting authentication and return an encrypted TGT to the client. The user can then use this TGT for further requests. In most Kerberos implementations, the TGT lifetime is 8—​10 hours. After that, the client should request a TGT from the authentication server again.

Key Distribution Center — a third-party authentication mechanism used by users and services to authenticate each other. It consists of three parts:

A file containing one or more principals and their keys. It is used for authentication in the Kerberos infrastructure and allows users not to enter usernames and passwords manually.

A unique name of a user or service.

A Kerberos network that includes a KDC and several clients.

Ticket Granting Server — a server for issuing grants or permissions.

Ticket Granting Ticket — includes a copy of the session key, user name, and ticket expiration time. TGT is encrypted using the master key of the KDC and can only be decrypted by the KDC service itself.

A cluster-wide configuration file that defines what cluster services are exposed via proxy, how clients can access them, and what security rules are applied to them.

A JSON file from which a topology file can be automatically generated.

Lightweight Directory Access Protocol — a simple protocol that uses TCP/IP and allows authentication, search and compare operations, as well as operations for adding, modifying, or deleting records.

A structured service information about the used data. Contains characteristics useful for identification, search, evaluation, and management.

A device connected to other devices via a network. It has its own IP address and can exchange data. Nodes can be computers, mobile phones, pocket computers, as well as special network devices (such as routers, switches, hubs, etc.).

A server that acts as an intermediary between a client host and a server host.

A software that enables integrating a service, for which a plugin is available, into Ranger. Plugins allow Ranger Admin to control access for the service resources via policies.

A set of rules that define access control for resources within a Hadoop ecosystem or other systems managed by Ranger.

A server that acts as a single public-facing endpoint for client requests that get redirected to one or more servers protected by that reverse proxy.

Superuser — a special account in Unix-like systems, the owner of which has the right to perform any and all operations.

Encrypted data that is stored inside a secret engine that is accessibly by a path.

A vault component that is responsible for generating, storing, encrypting, and managing secrets.

A special type of digital certificate signed by its subject. Technically, such a certificate is no different from a certificate signed by a certification authority (CA), only that the user creates its own signature. A certificate creator is also the certification authority in this case. All root certificates of trusted CAs are self-signed.

Secure Shell — an application-level network protocol that allows remote control of the operating system and tunneling of TCP connections (for example, to transfer files). It is similar in functionality to the Telnet and rlogin protocols, but, unlike them, it encrypts all traffic, including transmitted passwords. SSH allows you to choose different encryption algorithms. SSH clients and SSH servers are available for most network operating systems.

Secure Sockets Layer — a cryptographic protocol that implies secure communication. It uses asymmetric cryptography to authenticate exchange keys, symmetric encryption to maintain confidentiality, and message authentication codes to ensure message integrity.

Single sign-on — an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Substitute user and do — a program for system administration of Unix-like operating systems that allows delegating certain privileged resources to users with the maintenance of the work protocol. The main idea is to give users as few rights as possible, while enough to solve the tasks.

Ranger User Synchronizer — a system that allows importing users from external systems into Ranger.

An open-source service for synchronization and coordination of distributed systems. In ADPS, ZooKeeper is used for management and service discovery.