> ## Documentation Index
> Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up an Apache Ranger connector

> C1 provides identity governance for Apache Ranger. Integrate your Apache Ranger instance with C1 for unified visibility and governance over user access.

C1 provides identity governance for Apache Ranger. Integrate your Apache Ranger
instance with C1 for unified visibility and governance over identities, policies,
and access grants managed by Ranger Admin.

## Capabilities

| Resource             | Sync                                                          | Provision |
| -------------------- | ------------------------------------------------------------- | --------- |
| Users                | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Groups               | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Roles                | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Access roles         | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Module permissions   | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Security zones       | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Tags                 | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Policies             | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |
| Policy access grants | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |           |

The connector reads users, groups, roles, system access roles, admin module
permissions, security zones, tags, and policies from the Ranger Admin REST API.
Each policy is synced with one entitlement per access type it grants (for
example `select` or `read`), covering allow, deny, allow/deny exception, data
mask, and row filter items, plus a `delegate-admin` entitlement. Grants resolve
the users, groups, and roles referenced in those policy items.

This connector targets **Apache Ranger 2.x**. It is read-only and does not
provision or modify access in Apache Ranger.

## Gather Apache Ranger credentials

<Warning>
  You need an Apache Ranger account with administrator access to the Ranger Admin
  service so the connector can read users, groups, roles, policies, and security
  zones. An account without admin access may return only a partial view of your
  directory.
</Warning>

<Steps>
  <Step>
    Sign in to the Apache Ranger Admin UI. By default it runs on port `6080`,
    for example `https://ranger.example.com:6080`. Note this base URL — you
    enter it when configuring the connector.
  </Step>

  <Step>
    Use an account with administrator access. On a default installation this is
    the `admin` user whose password was set during installation. Confirm the
    account can view **Settings > Users/Groups/Roles** and policy objects in
    the Admin UI.
  </Step>

  <Step>
    Have the username and password for that account ready. The connector
    authenticates to the Ranger Admin REST API with these credentials.
  </Step>
</Steps>

## Configure the Apache Ranger connector

<Tabs>
  <Tab title="Cloud-hosted">
    Follow these instructions to use a built-in, no-code connector hosted by C1.

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Apache Ranger** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Apache Ranger connector.
      </Step>

      <Step>
        Set the owner for this connector.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Enter the Apache Ranger credentials:

        * **Base URL**: Your Apache Ranger Admin server URL, for example `https://ranger.example.com:6080`.
        * **Username**: The administrator username for Ranger Admin.
        * **Password**: The password for that account.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your Apache Ranger connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    Follow these instructions to run the Apache Ranger connector in your own
    environment.

    <Steps>
      <Step>
        Create secrets for the Apache Ranger Admin credentials.
      </Step>

      <Step>
        Configure the connector environment variables:

        * **BATON\_BASE\_URL**: Your Apache Ranger Admin server URL, for example `https://ranger.example.com:6080`.
        * **BATON\_USERNAME**: The administrator username for Ranger Admin.
        * **BATON\_PASSWORD**: The password for that account.
      </Step>

      <Step>
        Deploy the connector using your standard self-hosted connector process.
      </Step>
    </Steps>

    **Done.** Your Apache Ranger connector is now pulling access data into C1.
  </Tab>
</Tabs>

## Connector configuration reference

| Setting  | Environment variable | Required | Description                                                                                 |
| -------- | -------------------- | -------- | ------------------------------------------------------------------------------------------- |
| Base URL | `BATON_BASE_URL`     | Yes      | The base URL of the Apache Ranger Admin API, for example `https://ranger.example.com:6080`. |
| Username | `BATON_USERNAME`     | Yes      | Username used to authenticate with Ranger Admin.                                            |
| Password | `BATON_PASSWORD`     | Yes      | Password for the authenticating user. Stored as a secret.                                   |