hawq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yo...@apache.org
Subject [09/17] incubator-hawq-docs git commit: policy doc - built-in func warning, revise hdfs/hive considers
Date Thu, 25 May 2017 22:34:09 GMT
policy doc - built-in func warning, revise hdfs/hive considers


Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/e85f3a49
Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/e85f3a49
Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/e85f3a49

Branch: refs/heads/release/2.2.0.0-incubating
Commit: e85f3a49ec1721c6f08567b782d537a691b5928e
Parents: a3ebec2
Author: Lisa Owen <lowen@pivotal.io>
Authored: Fri Apr 7 15:24:12 2017 -0700
Committer: Lisa Owen <lowen@pivotal.io>
Committed: Fri Apr 7 17:41:31 2017 -0700

----------------------------------------------------------------------
 markdown/ranger/ranger-policy-creation.html.md.erb | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/e85f3a49/markdown/ranger/ranger-policy-creation.html.md.erb
----------------------------------------------------------------------
diff --git a/markdown/ranger/ranger-policy-creation.html.md.erb b/markdown/ranger/ranger-policy-creation.html.md.erb
index 5bd12b4..ec78c35 100644
--- a/markdown/ranger/ranger-policy-creation.html.md.erb
+++ b/markdown/ranger/ranger-policy-creation.html.md.erb
@@ -319,10 +319,13 @@ Make note of the following considerations when employing Ranger authorization
fo
 
 - `CREATE LANGUAGE` commands (superuser-only) issued for non-built-in languages (pljava,
plpython, ..) require the `usage` permission for the `c` language.
 
-- If Ranger is enabled for Hive authorization in your HAWQ cluster:
-    -  Create Hive policy(s) providing the user `pxf` access to any Hive tables you want
to expose via PXF HCatalog integration or HAWQ PXF external tables.
-    - The HAWQ policies providing access to PXF HCatalog integration must identify database
`hcatalog`, schema `<hive-schema-name>`, and table `<hive-table-name>` resources.
 These privileges are required in addition to any Hive policies for user `pxf` when Ranger
is enabled for Hive authorization.
+- Using built-in functions may generate the message:  “WARNING: usage privilege of namespace
\<schema-name\> is required.” This message is displayed even though the usage permission
on \<schema-name\> is not actually required to execute the built-in function.
 
-- If you have enabled Ranger authorization for HDFS in your HAWQ cluster:
-    -  Create an HDFS policy(s) providing user `gpadmin` access to the HDFS HAWQ filespace.
-    -  If you plan to use PXF external tables to read and write HDFS data, create HDFS policies
providing user `pxf` access to the HDFS files backing your PXF external tables.
+- When Ranger authorization is enabled for HDFS in your HAWQ cluster:
+    - The HDFS `xasecure.add-hadoop-authorization` property determines whether or not HDFS
access controls are used as a fallback when no policy exists for a given HDFS resource. HAWQ
access to HDFS is not affected when the `xasecure.add-hadoop-authorization` property is set
to `true`. When this property is set to `false`, you must define HDFS Ranger policies permitting
the `gadmin` HAWQ user read/write/execute access to the HAWQ HDFS filespace. 
+    - Access to HDFS-backed PXF external tables is not affected by the `xasecure.add-hadoop-authorization`
property value, since the `pxf` user is a member of the `hdfs` superuser group.
+
+- Hive Ranger policies cannot control PXF access to Hive tables.
+    -  When Ranger authorization is enabled for HAWQ, the `gpadmin` user has access permissions
to all Hive tables exposed through PXF external tables and HCatalog integration.
+    - Other HAWQ users may gain access to Hive-backed PXF external tables when provided `usage-schema`
and `create` permissions on the `public` or any private schema. To restrict this access, selectively
assign permissions to the `pxf` protocol. 
+    - HCatalog access to Hive tables is restricted by default when Ranger authorization is
enabled for HAWQ; you must create policies to explicitly allow this access.


Mime
View raw message