hawq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lili Ma <lil...@apache.org>
Subject Ranger Discussion: Scope for HAWQ Ranger Integration
Date Wed, 25 Jan 2017 08:55:01 GMT
Hi All,


We propose the following Scope for the first release of HAWQ Ranger
integration. Please comment and provide feedback. Thanks a lot!


In Scope

   1.

   Basic objects including non-heap table check be kept in Ranger side,
   includes (Can Refer to detailed explanation for Grant command in HAWQ
   document http://hdb.docs.pivotal.io/211/hawq/reference/sql/GRANT.html ):
   1.

      Database:  Create Schema(Short as Create), Connect database (Short as
      Connect), and Create Temp Table (Short as Temp).
      2.

      Tablespace: Create table and database under this tablespace (Short as
      Create)
      3.

      Schema: create table or select from table under this schema(Short as
      Usage), Create table under this Schema (Short as Create)
      4.

      Table: Select from this table (Short as Select), Insert into this
      table(Short as Insert)
      5.

      Sequence: running select from this sequence(Short as Select), update
      the  value for this sequence (Short as Update)
      6.

      Function: Execution of this function (Short as Execute)
      7.

      Language: Usage of this language (Short as Usage)
      8.

      Protocol: Select data through this protocol(Short as Select), Insert
      data through this protocol(Short as Insert)
      2.

   Super user for HDFS data check in Ranger side same as 1), while below
   checking kept in HAWQ side. Below is the behaviors which are strictly
   restricted to superuser.
   1.

      create cast: when function is NULL
      2.

      create filespace
      3.

      create/remove/alter foreign-data wrapper
      4.

      create function: For untrusted language, only superuser can create
      function.
      5.

      create/drop procedural language
      6.

      create/drop/alter resource queue
      7.

      create tablespace: It means the privilege to create tablespace, and
      only superuser can do. But the CREATE privilege for tablespace means
      creating database/table/index... in tablespace, which is managed
by Ranger.
      8.

      create external table: Only superuser can create EXECUTE external web
      table or create an external table with a file protocol (but in HAWQ 2.0,
      the file protocol is not supported any more).
      9.

      create operator class
      10.

      copy: Only superuser can copy to or from a file. When Ranger is
      configured, the superuser can not run copy to or from when he
doesn't have
      the privilege for that table select or insert.
      11.

      alter state of system triggers
      12.

      some build in functions, including
      -

         pg_logdir_ls
         -

         pg_ls_dir
         -

         pg_read_file
         -

         pg_reload_conf
         -

         pg_rotate_logfile
         -

         pg_signal_backend
         -

         pg_start_backup
         -

         pg_stat_file
         -

         pg_stat_get_activity
         -

         pg_stat_get_backend_activity_start
         -

         pg_stat_get_backend_activity
         -

         pg_stat_get_backend_client_addr
         -

         pg_stat_get_backend_client_port
         -

         pg_stat_get_backend_start
         -

         pg_stat_get_backend_waiting
         -

         pg_stop_backup
         -

         pg_switch_xlog
         -

         pg_stat_reset
         3.

   Catalog table/system embedded function/owner check kept in HAWQ side
   4.

   Forbid grant/revoke command for non-heap table in HAWQ once Ranger is
   configured
   5.

   Documents for telling people if they firstly enable ranger and then
   don't want to use it, they need manually recreate all the policies of
   Ranger in HAWQ own side
   6.

   Documents for how to enable Ranger in Ambari:  Firstly set ranger off,
   init HAWQ master, then set ranger on, and then restart HAWQ cluster.


Out of Scope for the first Release

   1.

   Ambari modification: We just use Ambari's customized GUC for the first
   release instead of adding a new GUC, so no change from Ambari side
   2.

   Kerberos/SSL connection from HAWQ to RPS and RPS to Ranger
   3.

   HA: There are two levels of HA: Ranger Server HA and RPS HA. For Ranger
   Server HA, RPS needs to be designed to be tolerant for this; For RPS HA,
   HAWQ master and standby master should be able to connect to another RPS if
   one is down.
   4.

   Catalog table/System embedded function/owner check in Ranger
   5.

   Allow both Grant/Revoke command and Ranger side ACL control for the same
   objects such as non-heap table
   6.

   Tool for converting all privileges defined in Ranger to HAWQ
   grant/revoke command
   7.

   Tool for syncing HAWQ user information from LDAP
   8.

   Ranger check for drop table/create database


Best Regards,
Lili

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message