hawq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yo...@apache.org
Subject incubator-hawq-docs git commit: Reconcile Feature/ranger integration branches (closes #105)
Date Thu, 30 Mar 2017 19:31:01 GMT
Repository: incubator-hawq-docs
Updated Branches:
  refs/heads/feature/ranger-integration a16d160cc -> 5ef01c775


Reconcile Feature/ranger integration branches (closes #105)


Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/5ef01c77
Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/5ef01c77
Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/5ef01c77

Branch: refs/heads/feature/ranger-integration
Commit: 5ef01c77565b8fce5dbfe48ff836a53df68c468a
Parents: a16d160
Author: Jane Beckman <jbeckman@pivotal.io>
Authored: Thu Mar 30 12:30:55 2017 -0700
Committer: David Yozie <yozie@apache.org>
Committed: Thu Mar 30 12:30:55 2017 -0700

----------------------------------------------------------------------
 .../ranger-integration-config.html.md.erb       | 44 ++++++++++++++++----
 markdown/ranger/ranger-overview.html.md.erb     |  2 +-
 2 files changed, 36 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/5ef01c77/markdown/ranger/ranger-integration-config.html.md.erb
----------------------------------------------------------------------
diff --git a/markdown/ranger/ranger-integration-config.html.md.erb b/markdown/ranger/ranger-integration-config.html.md.erb
index 0a695de..8b687b5 100644
--- a/markdown/ranger/ranger-integration-config.html.md.erb
+++ b/markdown/ranger/ranger-integration-config.html.md.erb
@@ -30,9 +30,11 @@ The Ranger Administrative UI is installed when you install HDP. You configure
th
 
 Installing or upgrading to HAWQ 2.2.0 installs the HAWQ Ranger Plug-in Service, but neither
configures nor registers the plug-in.  
 
-In order to use Ranger for managing HAWQ authentication events, you must first install and
register several HAWQ JAR files on the Ranger Administration host. This is a one-time configuration
that establishes connectivity to your HAWQ cluster from the Ranger Administration host. After
you have registered the JAR files, you enable or disable Ranger integration in HAWQ by setting
the `hawq_acl_type` configuration parameter. After Ranger integration is enabled, you must
use the Ranger interface to create all security policies to manage access to HAWQ resources.
Ranger is pre-populated only with several policies to allow `gpadmin` superuser access to
default resources. See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html)
for information about creating policies in Ranger.
+To use Ranger for managing HAWQ authentication events, you must first install and register
several HAWQ JAR files on the Ranger Administration host. This one-time configuration establishes
connectivity to your HAWQ cluster from the Ranger Administration host. 
+
+After registering the JAR files, you enable or disable Ranger integration in HAWQ by setting
the `hawq_acl_type` configuration parameter. After Ranger integration is enabled, you must
use the Ranger interface to create all security policies to manage access to HAWQ resources.
Ranger is only pre-populated with policies to allow `gpadmin` superuser access to default
resources. See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html)
for information about creating policies in Ranger. When Ranger is enabled, all access to HAWQ
resources is controlled by security policies on Ranger. 
 
-The following procedures describe each configuration activity.
+Use the following procedures to register the HAWQ Ranger Plug-in Service and enable Ranger
authorization for HAWQ..
 
 ## <a id="prereq"></a>Prerequisites
 To use HAWQ Ranger integration, install a compatible Hadoop distribution and Apache Ranger
0.6. You must also have `admin` access to the **Ranger Admin UI**.
@@ -69,13 +71,25 @@ To use HAWQ Ranger integration, install a compatible Hadoop distribution
and Apa
     Log in to the HAWQ master node as the `gpadmin` user and execute the `enable-ranger-plugin.sh`
script. Ensure \<hawq_master\> identifies the fully qualified domain name of the HAWQ
master node. For example:
 
     ``` bash
+    sudo su - gpadmin
     gpadmin@master$ cd /usr/local/hawq/ranger/bin
     gpadmin@master$ ./enable-ranger-plugin.sh -r ranger_host:6080 -u admin -p admin -h hawq_master:5432
-w gpadmin -q gpadmin
     ```
     
+    ***Note*** You can also enter the short form of the command: `./enable-ranger-plugin.sh
-r` and the script will prompt you for entries. 
+    
     When the script completes, the default HAWQ service definition is registered in the Ranger
Admin UI. This service definition is named `hawq`.
 
-6. Edit the `pg_hba.conf` file on the HAWQ master node to configure HAWQ access for \<hawq_user\>
on the \<ranger-admin-node\>. For example, you would add an entry similar to the following
for the example `enable-ranger-plugin.sh` call above:
+6. Locate the `pg_hba.conf` file on the HAWQ master node, for example:
+ 
+    ``` bash
+    gpadmin@master$ hawq config --show hawq_master_directory
+     GUC		: hawq_master_directory
+     Value		: /data/hawq/master
+
+    ```
+
+    Edit the `pg_hba.conf` file on the HAWQ master node to configure HAWQ access for \<hawq_user\>
on the \<ranger-admin-node\>. For example, you would add an entry similar to the following
for the example `enable-ranger-plugin.sh` call above:
 
     ``` bash
     host  all     gpadmin    ranger_host/32       trust
@@ -87,19 +101,31 @@ To use HAWQ Ranger integration, install a compatible Hadoop distribution
and Apa
     gpadmin@master$ hawq stop cluster --reload
     ```
 
-7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari,
click the edit icon associated with the `hawq` service definition. Ensure that the Active
Status is set to Enabled, and click the **Test Connection** button. You should receive a message
that Ranger connected succesfully.  If it fails to connect, edit your HAWQ connectivity properties
directly in the Ranger Admin UI and re-test the connection.
+7.  When setup is complete, use the fully-qualified domain name to log into the Ambari server.
Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari
interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login
interface. 
+
+8.  Log into the Ranger Access Manager. You will see a list of icons under the Service Manager.
Click the **Edit** icon on the right, under the HAWQ service icon. Ensure that the Active
Status is set to Enabled, and click the **Test Connection** button. You should receive a message
that Ranger connected successfully.  If it fails to connect, you may need to edit your Ranger
connection in  `pg_hba.conf,` perform 
+
+  ``` bash
+   gpadmin@masterhawq stop cluster --reload
+   ```
+  and re-test the connection.
 
 
 ## <a id="enable"></a>Step 2: Configure HAWQ to Use Ranger Policy Management
 
-The default Ranger service definition for HAWQ assigns the HAWQ user (typically `gpadmin`)
all privileges to all objects. 
+The default Ranger service definition for HAWQ assigns the HAWQ administrator (typically
`gpadmin`) all privileges to all objects. 
 
-**Warning**: If you enable HAWQ-Ranger authorization with only the default HAWQ service policies
defined, other HAWQ users will have no privileges, even for HAWQ objects (databases, tables)
that they own.
-
-1. Select the **HAWQ** Service, and then select the **Configs** tab.
+Once the connection between HAWQ and Ranger is configured, you can either set up policies
for the HAWQ users according to the procedures in [Creating HAWQ Authorization Policies in
Ranger](ranger-policy-creation.html) or enable Ranger with only the default policies. 
+
+**Note**: Any authorization defined using GRANT commands will no longer apply after enabling
HAWQ Ranger. Only gpadmin access is allowed when Ranger is first initialized.
+
+1. On Ambari, select the **HAWQ** Service, and then select the **Configs** tab.
 2. Select the **Advanced** tab, and then expand **Custom hawq-site**.
 4. Click **Add Property...** and add the new property, `hawq_acl_type=ranger` property. (If
the property already exists, change its value from `standalone` (the default) to `ranger`.)
 5. Click **Save** to save your changes.
 6. Select **Service Actions > Restart All** and confirm that you want to restart the HAWQ
cluster.
 
-## <a id="caching"></a>Changing the Frequency of Policy Caching
+
+## <a id="caching"></a>Changing the Frequency of Policy Caching
+ 
+You may wish to change the frequency of policy caching to suit your individual needs.
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/5ef01c77/markdown/ranger/ranger-overview.html.md.erb
----------------------------------------------------------------------
diff --git a/markdown/ranger/ranger-overview.html.md.erb b/markdown/ranger/ranger-overview.html.md.erb
index b038461..56b45be 100644
--- a/markdown/ranger/ranger-overview.html.md.erb
+++ b/markdown/ranger/ranger-overview.html.md.erb
@@ -27,7 +27,7 @@ HAWQ supports using Apache Ranger for authorizing user access to HAWQ resources.
 ## <a id="arch"></a>Policy Management Architecture
 Each HAWQ installation includes a Ranger plug-in service to support Ranger Policy management.
The Ranger plug-in service implements the Ranger REST API to bridge all requests between the
Ranger Policy Manager and a HAWQ instance. 
 
-HAWQ also provides a JAR library that enables the Ranger Policy Manager to lookup HAWQ metadata
(the names of databases, schemas, tables, and so forth) to populate the user interface and
assist in creating new policies. This JAR uses a JDBC connection to HAWQ, and requires a one-time
registration with the Ranger Policy Manager. See [Configuring HAWQ to use Ranger Policy Management](ranger-integration-config.html#enable).

+HAWQ also provides a JAR library that enables the Ranger Policy Manager to lookup HAWQ metadata
(the names of databases, schemas, tables, and so forth) to populate the user interface and
assist in creating new policies. This JAR uses a JDBC connection to HAWQ, and requires a one-time
registration with the Ranger Policy Manager. 
 
 A single configuration parameter, `hawq_acl_type` determines whether HAWQ defers all policy
management to Ranger via the plug-in service, or whether HAWQ handles authorization natively
using catalog tables. By default, HAWQ uses SQL commands to create all access policies, and
the policy information is stored in catalog tables.  When you enable Ranger integration for
policy management, any authorization policies that you have configured in HAWQ using SQL no
longer apply to your installation; you must create new policies using the Ranger interface.
See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html)
 


Mime
View raw message