hawq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lili Ma <...@pivotal.io>
Subject Re: HAWQ Ranger Integration Design Doc
Date Fri, 29 Jul 2016 04:51:56 GMT
@Jiali, very good questions!

1. If we want to use ranger, it must be from initial phase or shall we enable
range certification when we already have a running database?  Also similar
for upgrade from non-ranger HAWQ to range supported HAWQ.In create user
second part, if we only have gpadmin, how to mapping existing user ?
Answer: We suggest using ranger from initial phase, say, in hawq init
cluster. Whether using ranger should be configured in hawq-site.xml.  If
someone do want to switch from a non-ranger version to ranger version, we
will provide user&policy migration tool to sync from HAWQ to Ranger, and
from Ranger to HAWQ (It's offline migration). This is described in Future
Work part of design doc.  If this is a necessary, we can adjust priority
for this item. For user management, we're investigating the feasibility of
keeping gpadmin only, will consider the upgrade part in. Thanks for this:)

2. If we use ranger, "create user in LDAP" will be only entry for user
creation?
Will we still support "create user" in HAWQ? If yes, it will trigger sync
when create user right?
Answer: If use ranger, it makes sense to create user in third components
such as LDAP, Unix System. I think we should not expose "create user"
function of HAWQ to public. Since we need a centralized place to manage
user information.   The ideal phenomenon is that when you create a user in
LDAP/Unix, the user information will automatically synced to both Ranger
and HAWQ.

3. How to handling "drop user"? Will drop all related policy in Ranger?What
about user in linux ldap?
The same as Question 2. We should not allow "drop user" command if Ranger
is configured.

Thanks
Lili

On Fri, Jul 29, 2016 at 11:02 AM, Jiali Yao <jyao@pivotal.io> wrote:

> Good to see ranger in HAWQ.
>
> I have some questions:
> 1. If we want to use ranger, it must be from initial phase or shall we
> enable range certification when we already have a running database?  Also
> similar for upgrade from non-ranger HAWQ to range supported HAWQ.In create
> user second part, if we only have gpadmin, how to mapping existing user ?
>
> 2. If we use ranger, "create user in LDAP" will be only entry for user
> creation? Will we still support "create user" in HAWQ? If yes, it will
> trigger sync when create user right?
>
> 3. How to handling "drop user"? Will drop all related policy in Ranger?
> What about user in linux ldap?
>
> Thanks
>
> Jiali
>
>
> On Thu, Jul 28, 2016 at 4:48 PM, Hubert Zhang <hzhang@pivotal.io> wrote:
>
> > @ruilong
> > Q1:yes, you can tune the sync interval parameter in conf file of
> UserSync,
> > default is 5mins for Unix
> > Q2:  If Ranger is down, all the queries in HAWQ cannot get privilege and
> > will be refused. New connections to HAWQ should be refused too.
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message