Ranger Limitations

This page lists the known limitations.

  • No active logging available for operations done with S3 buckets.

  • Ranger usernames must exactly match IAM usernames. AD/LDAP usernames are assumed to be available in AWS IAM.

  • Limited S3 actions supported. Currently supports core actions: ListBucket, GetObject, PutObject, DeleteObject

  • New S3 bucket creation from Ranger is not supported.

  • STS token authentication is not supported – Ranger cannot enforce policies on temporary credentials issued via AWS STS.

  • Reverse pushdown from S3 ACL/policy to Ranger is not supported – Ranger cannot automatically import existing S3 bucket policies or ACLs.

  • Existing S3 policies/ACLs handling:

    • When Ranger is configured to manage S3 buckets, it overwrites the existing resource-based S3 ACLs/policies for the given resource, based on the Ranger-defined policy settings.
    • Care should be taken to review S3 permissions before enabling Ranger pushdown to avoid unintended access changes.

  • AWS resource-based policies do not support using IAM groups as principals. Group mappings are only supported in identity-based AWS policies. Since Ranger relies on resource-based AWS policies, group-based mapping is not supported as part of this plugin. https://docs.aws.amazon.com/AmazonS3/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
  Last updated on Feb 3, 2026
Next to read:
Upgrade Path
On This Page
Ranger Limitations