hawq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yo...@apache.org
Subject [05/50] [abbrv] incubator-hawq-docs git commit: moving super-user events discussion to policy doc; clarifying non-HA support; clarifying configuration procedure
Date Tue, 25 Apr 2017 00:03:58 GMT
moving super-user events discussion to policy doc; clarifying non-HA support; clarifying configuration
procedure


Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/8823a9cf
Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/8823a9cf
Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/8823a9cf

Branch: refs/heads/master
Commit: 8823a9cf4fa872e0023955d7fe7a20fc28fbac69
Parents: 970717b
Author: David Yozie <yozie@apache.org>
Authored: Fri Mar 31 10:38:27 2017 -0700
Committer: David Yozie <yozie@apache.org>
Committed: Fri Mar 31 10:38:27 2017 -0700

----------------------------------------------------------------------
 .../ranger/ranger-integration-config.html.md.erb | 19 +++++++++++++++----
 markdown/ranger/ranger-overview.html.md.erb      | 16 ++--------------
 .../ranger/ranger-policy-creation.html.md.erb    |  3 ++-
 3 files changed, 19 insertions(+), 19 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/8823a9cf/markdown/ranger/ranger-integration-config.html.md.erb
----------------------------------------------------------------------
diff --git a/markdown/ranger/ranger-integration-config.html.md.erb b/markdown/ranger/ranger-integration-config.html.md.erb
index 373959c..a274158 100644
--- a/markdown/ranger/ranger-integration-config.html.md.erb
+++ b/markdown/ranger/ranger-integration-config.html.md.erb
@@ -73,18 +73,29 @@ To use HAWQ Ranger integration, install a compatible Hadoop distribution
and Apa
     ``` bash
     gpadmin@master$ cd /usr/local/hawq/ranger/bin
     gpadmin@master$ ./enable-ranger-plugin.sh -r ranger_host:6080 -u admin -p admin -h hawq_master:5432
-w gpadmin -q gpadmin
+    RANGER URL  = localhost:6080
+    RANGER User = admin
+    RANGER Password = [*****]
+    HAWQ HOST = localhost
+    HAWQ PORT = 5432
+    HAWQ User = gpadmin
+    HAWQ Password = [*******]
+    HAWQ service definition was not found in Ranger Admin, creating it by uploading /usr/local/hawq_2_2_0_0/ranger/etc/ranger-servicedef-hawq.json
+    HAWQ service instance was not found in Ranger Admin, creating it.
+    Updated POLICY_MGR_URL to http://localhost:6080 in /usr/local/hawq_2_2_0_0/ranger/etc/rps.properties
+    Updated default value of JAVA_HOME to /usr/jdk64/jdk1.8.0_77 in /usr/local/hawq_2_2_0_0/ranger/etc/rps.properties
     ```
     
     **Note**: You can also enter the short form of the command: `./enable-ranger-plugin.sh
-r` and the script will prompt you for entries.
     
     When the script completes, the default HAWQ service definition is registered in the Ranger
Admin UI. This service definition is named `hawq`.
 
-6. Locate the `pg_hba.conf` file on the HAWQ master node, for example:
+6. Locate the `pg_hba.conf` file in the master directory of the HAWQ master node. To display
the HAWQ master directory:
  
     ``` bash
     gpadmin@master$ hawq config --show hawq_master_directory
     GUC		: hawq_master_directory
-    Value		: /data/hawq/master
+    Value	: /data/hawq/master
     ```
 
     Edit the `pg_hba.conf` file on the HAWQ master node to configure HAWQ access for \<hawq_user\>
on the \<ranger-admin-node\>. For example, you would add an entry similar to the following
for the example `enable-ranger-plugin.sh` call above:
@@ -99,9 +110,9 @@ To use HAWQ Ranger integration, install a compatible Hadoop distribution
and Apa
     gpadmin@master$ hawq stop cluster --reload
     ```
 
-7.  When setup is complete, use the fully-qualified domain name to log into the Ambari server.
Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari
interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login
interface. 
+7.  After HAWQ reloads the configuration, use the fully-qualified domain name to log into
the Ambari server. Click the **Ranger** link to display the Ranger Summary page, then select
**Quick Links > Ranger Admin UI**. 
 
-8.  Log into the Ranger Access Manager. You will see a list of icons under the Service Manager.
Click the **Edit** icon on the right, under the HAWQ service icon. Ensure that the Active
Status is set to Enabled, and click the **Test Connection** button. You should receive a message
that Ranger connected successfully.  If the connection fails, verify the `hawq` service Config
Properties, as well as your `pg_hba.conf` entries, and re-test the connection.
+8.  Log into the Ranger Access Manager. Click the **Edit** button for the **HAWQ** service.
Ensure that the Active Status is set to Enabled, and click **Test Connection**. You should
receive a message that Ranger connected successfully.  If the connection fails, verify the
`hawq` service Config Properties, as well as your `pg_hba.conf` entries, and re-test the connection.
 
 ## <a id="enable"></a>Step 2: Configure HAWQ to Use Ranger Policy Management
 

http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/8823a9cf/markdown/ranger/ranger-overview.html.md.erb
----------------------------------------------------------------------
diff --git a/markdown/ranger/ranger-overview.html.md.erb b/markdown/ranger/ranger-overview.html.md.erb
index 56b45be..55ef691 100644
--- a/markdown/ranger/ranger-overview.html.md.erb
+++ b/markdown/ranger/ranger-overview.html.md.erb
@@ -36,7 +36,7 @@ The Ranger plug-in service caches Ranger policies locally on each HAWQ node
to a
 ## <a id="limitations"></a>Limitations of Ranger Policy Management
 Neither Kerberos authentication nor SSL encryption is supported between a HAWQ node and the
Ranger plug-in service, or between the plug-in service and the Ranger Policy Manager.
 
-The Ranger plug-in service is not compatible Highly-Available Ranger deployments. The plug-in
will not connect to another Ranger Policy Manager if a failure occurs.
+The Ranger plug-in service is not compatible Highly-Available Ranger deployments. The plug-in
will not connect to another Ranger Policy Manager if a failure occurs. Should you need to
activate the standby master in your HAWQ cluster, you must update the HAWQ Ranger service
definition with the new master node connection information.
 
 HAWQ supports setting user-level authorization policies with Ranger. These correspond to
access policies that would typically be applied using the SQL `GRANT` command, and include
authorization events for:
 
@@ -48,17 +48,5 @@ HAWQ supports setting user-level authorization policies with Ranger. These
corre
 - Languages
 - Protocols
 
-All authorization checks for superuser-restricted authorization events are handled by HAWQ
natively, even when Ranger integration is enabled. These superuser-restricted events include:
-
-- `CREATE CAST` command
-- `CREATE FILESPACE` command
-- `CREATE`, `DROP`, or `ALTER` commands that involve a foreign-data wrapper
-- `CREATE FUNCTION` command for untrusted languages.
-- `CREATE` or `DROP` commands for procedural Languages
-- `CREATE`, `DROP`, or `ALTER` commands for resource queues
-- `CREATE TABLESPACE` command. Note that Ranger does manage authorization for creating databases,
tables, indexes, and so forth _within_ an existing tablespace.
-- `CREATE EXTERNAL TABLE` commands that include the `EXECUTE` clause.
-- `CREATE OPERATOR CLASS` command
-- `COPY` command. Use of the `COPY` command is always limited to the superuser. When Ranger
policy management is enabled, the superuser must have `SELECT` or `INSERT` privileges on a
table in order to `COPY` from or to that table.
-- Built-in functions such as pg_logdir_ls, pg_ls_dir, pg_read_file, pg_reload_conf, pg_rotate_logfile,
pg_signal_backend, pg_start_backup,  pg_stat_file, pg_stat_get_activity, pg_stat_get_backend_activity_start,
pg_stat_get_backend_activity, pg_stat_get_backend_client_addr, pg_stat_get_backend_client_port,
pg_stat_get_backend_start, pg_stat_get_backend_waiting, pg_stop_backup, pg_switch_xlog, and
pg_stat_reset.
+Some authorization checks for superuser-restricted authorization events are handled by HAWQ
natively, even when Ranger integration is enabled. See [HAWQ-Native Authorization](ranger-policy-creation.html#alwaysnative).
 

http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/8823a9cf/markdown/ranger/ranger-policy-creation.html.md.erb
----------------------------------------------------------------------
diff --git a/markdown/ranger/ranger-policy-creation.html.md.erb b/markdown/ranger/ranger-policy-creation.html.md.erb
index c66f5ba..937ebab 100644
--- a/markdown/ranger/ranger-policy-creation.html.md.erb
+++ b/markdown/ranger/ranger-policy-creation.html.md.erb
@@ -53,13 +53,14 @@ The `pg_hba.conf` file on the HAWQ master node identifies the users you
permit t
 HAWQ *always* employs its native authorization for operations on its catalog. HAWQ also uses
only native authorization for the following HAWQ operations, *even when Ranger is enabled*.
These operations are available to superusers and may be available those non-admin users to
which access was specifically configured:
 
 - operations on HAWQ catalog
-- HAWQ catalog-related built-in functions
 - `CREATE CAST` command when function is NULL
 - `CREATE DATABASE`, `DROP DATABASE`, `createdb`, `dropdb`
 - `hawq filespace`
 - `CREATE`, `DROP`, or `ALTER` commands for resource queues
 - `CREATE ROLE`, `DROP ROLE`, `SET ROLE`, `createuser`, `dropuser`
 - `CREATE TABLESPACE`, `DROP TABLESPACE` (Ranger does manage authorization for creating tables
and indexes _within_ an existing tablespace.)
+- HAWQ catalog-related built-in functions such as pg\_logdir\_ls, pg\_ls\_dir, pg\_read\_file,
pg\_reload\_conf, pg\_rotate\_logfile, pg\_signal\_backend, pg\_start\_backup,  pg\_stat\_file,
pg\_stat\_get\_activity, pg\_stat\_get\_backend\_activity\_start, pg\_stat\_get\_backend\_activity,
pg\_stat\_get\_backend\_client\_addr, pg\_stat\_get\_backend\_client\_port, pg\_stat\_get\_backend\_start,
pg\_stat\_get\_backend\_waiting, pg\_stop\_backup, pg\_switch\_xlog, and pg\_stat\_reset.
+
 
 The following SQL operations do not require any authorization checks:
 


Mime
View raw message