ranger-mcp-server
This MCP server enables management of Apache Ranger access control on CDP (Cloudera Data Platform) through agentic workflows, covering policies, identity, tags, and audit logs.
Service Management
List all Ranger service instances (e.g.,
cm_hive,cm_hdfs,cm_tag), get details, and retrieve service definition schemas (access types, resources, mask types).
Policy Lifecycle
Search, get, create, update, apply (upsert), and delete resource-based access, data masking, and tag-based policies.
Policies can be created from raw JSON or via convenience builders for access and masking policies.
Role Management
List, get, create, update, and delete Ranger roles.
Add users/groups to roles; look up all roles assigned to a specific user.
User Management
List, get, create, update, and delete Ranger users; search by partial name; assign roles (
ROLE_USERorROLE_SYS_ADMIN).
Group Management
List, get, create, update, and delete Ranger groups; search by partial name.
Tag Management
List tag type definitions and instances, get a specific tag definition, list tagged resources, and search tag-based policies.
Audit Logs
Search and count data-access audit logs (allowed/denied access) with filters for user, service, resource path, action, and date range.
Search and count admin audit logs (policy/config change history) with filters for object name, action, updated-by, and date range.
Retrieve a single admin audit log entry by ID.
Additional Features
Supports Knox JWT token, cookie, or Basic Auth.
Automatic retries with exponential backoff on transient errors.
Provides integration with Apache Ranger for managing access policies, masking, tag-based policies, roles, users, and groups via agentic workflows.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@ranger-mcp-serverSearch Hive policies containing 'finance'"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Ranger MCP Server
Model Context Protocol server for Apache Ranger on CDP — manage access policies, masking, tag-based policies, roles, users, groups, and audit logs via agentic workflows.
Features
Knox authentication — JWT token, raw cookie, or Basic Auth (same pattern as Atlas MCP)
Policy lifecycle — search, create, update, apply (upsert), delete
Access, masking & tag-based policies — convenience builders plus raw JSON for full control
Identity management — users, groups, roles and role membership
Tag metadata — tag definitions, instances, tagged resources
Audit logs — search data-access audits (allowed/denied) and admin/transaction logs (policy changes)
Automatic retries — exponential backoff on transient errors
MCP Tools
Services
list_ranger_services,get_ranger_service,get_ranger_service_definition
Policies
search_ranger_policies,get_ranger_policy,create_ranger_policy,update_ranger_policy,apply_ranger_policy,delete_ranger_policycreate_access_policy— resource-based access (Hive/HDFS/etc.)create_masking_policy— column maskingcreate_tag_based_policy— tag-service policies (e.g.cm_tag)
Roles
list_ranger_roles,get_ranger_role,create_ranger_role,update_ranger_role,delete_ranger_roleadd_users_groups_to_role,get_roles_for_user
Users & groups
list_ranger_users,get_ranger_user,create_ranger_user,update_ranger_user,delete_ranger_userlist_ranger_groups,get_ranger_group,create_ranger_group,update_ranger_group,delete_ranger_grouplookup_ranger_users,lookup_ranger_groups
Tags
list_tag_definitions,get_tag_definition,list_tag_instances,list_tagged_resourcessearch_tag_based_policies
Audits
search_access_audits— data-access audit logs (who accessed what, allowed/denied); filters:request_user,repo_name,resource_path(db/tableordb.table),action,access_result,start_date/end_date(MM/DD/YYYY)count_access_audits— count matching access audit recordssearch_admin_audit_logs— policy/config change logs (transaction audit); filters:object_name,action,updated_by, date rangecount_admin_audit_logs— count matching admin audit recordsget_admin_audit_log— fetch a single admin audit entry by id
Access audit search defaults to /assets/accessAudit (Ranger UI path), which honors filters on CDP. Set use_assets_endpoint=false to use /xaudit/access_audit instead. Hive table paths use slashes (db/table); db.table is converted automatically.
Related MCP server: Apache Airflow MCP Server
Setup
Local install
git clone <repo-url>
cd ranger-mcp-server
python3 -m venv .venv
source .venv/bin/activate
python -m pip install -e ".[dev]"Cursor / Claude Desktop MCP config
{
"mcpServers": {
"ranger-mcp-server": {
"command": "/FULL/PATH/TO/ranger-mcp-server/.venv/bin/python",
"args": ["-m", "ranger_mcp_server.server"],
"env": {
"MCP_TRANSPORT": "stdio",
"RANGER_GATEWAY_URL": "https://<host>/<topology>/cdp-proxy-api/ranger/service",
"RANGER_USER": "<user>",
"RANGER_PASS": "<password>"
}
}
}
}uvx
{
"mcpServers": {
"ranger-mcp-server": {
"command": "uvx",
"args": ["--from", "git+@https://github.com/frothkoetter/ranger-mcp-server.git@master", "run-server"],
"env": {
"RANGER_GATEWAY_URL": "https://<host>/<topology>/cdp-proxy-api/ranger/service",
"RANGER_USER": "<user>",
"RANGER_PASS": "<password>"
}
}
}
}Configuration
Variable | Required | Description |
| Yes | Knox Ranger API base ( |
| Yes* | Basic auth credentials |
| Alt | Knox JWT alternatives |
| No | Default |
| No | Default |
* Or Knox token/cookie.
CDP URL pattern
https://<cluster-host>/<topology>/cdp-proxy-api/ranger/serviceDirect Ranger Admin (inside cluster): https://<ranger-host>:6182/service
Example agent prompts
"List all Ranger services"
"Search Hive policies containing 'finance'"
"Create a masking policy on column ssn in hr.employees"
"Add group analysts to role finance_role"
"Show tag-based policies for tag PII on cm_tag"
"Search access audits for user alice on cm_hive since 06/01/2026"
"Show denied access audits on finance.customers in the last day"
"Who changed the finance-read policy? Search admin audit logs"
License
Apache License 2.0
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/frothkoetter/ranger-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server