Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 7BC17200BF1 for ; Tue, 3 Jan 2017 10:56:03 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 7A664160B33; Tue, 3 Jan 2017 09:56:03 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C5745160B43 for ; Tue, 3 Jan 2017 10:56:02 +0100 (CET) Received: (qmail 77993 invoked by uid 500); 3 Jan 2017 09:56:02 -0000 Mailing-List: contact dev-help@hawq.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hawq.incubator.apache.org Delivered-To: mailing list dev@hawq.incubator.apache.org Received: (qmail 77981 invoked by uid 99); 3 Jan 2017 09:56:01 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Jan 2017 09:56:01 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 86AB6C0040 for ; Tue, 3 Jan 2017 09:56:01 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -7.019 X-Spam-Level: X-Spam-Status: No, score=-7.019 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.999] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id O5e3oTgDymwN for ; Tue, 3 Jan 2017 09:56:00 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with SMTP id 9D5485F30F for ; Tue, 3 Jan 2017 09:55:59 +0000 (UTC) Received: (qmail 75525 invoked by uid 99); 3 Jan 2017 09:55:58 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Jan 2017 09:55:58 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 9EC2C2C03DB for ; Tue, 3 Jan 2017 09:55:58 +0000 (UTC) Date: Tue, 3 Jan 2017 09:55:58 +0000 (UTC) From: "Chunling Wang (JIRA)" To: dev@hawq.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (HAWQ-1249) Don't do ACL checks on segments MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 03 Jan 2017 09:56:03 -0000 Chunling Wang created HAWQ-1249: ----------------------------------- Summary: Don't do ACL checks on segments Key: HAWQ-1249 URL: https://issues.apache.org/jira/browse/HAWQ-1249 Project: Apache HAWQ Issue Type: Sub-task Components: Security Reporter: Chunling Wang Assignee: Ed Espino HAWQ does ACL checks on segments, which we think is not necessary for QE because there is no catalog data on segments. Even a hacker can connect to a segdb with GP_ROLE_EXECUTE, he can not do any queries while he can do on Greenplum for there is catalog data on segments. Further more, in ranger checks, if all segments do same checks as master with RPS, it costs a lot and effects the performance. -- This message was sent by Atlassian JIRA (v6.3.4#6332)