hawq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lisakowen <...@git.apache.org>
Subject [GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...
Date Wed, 29 Mar 2017 23:12:34 GMT
Github user lisakowen commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108807397
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -30,9 +30,14 @@ The Ranger Administrative UI is installed when you install HDP. You
configure th
     
     Installing or upgrading to HAWQ 2.2.0 installs the HAWQ Ranger Plug-in Service, but neither
configures nor registers the plug-in.  
     
    -In order to use Ranger for managing HAWQ authentication events, you must first install
and register several HAWQ JAR files on the Ranger Administration host. This is a one-time
configuration that establishes connectivity to your HAWQ cluster from the Ranger Administration
host. After you have registered the JAR files, you enable or disable Ranger integration in
HAWQ by setting the `hawq_acl_type` configuration parameter. After Ranger integration is enabled,
you must use the Ranger interface to create all security policies to manage access to HAWQ
resources. Ranger is pre-populated only with several policies to allow `gpadmin` superuser
access to default resources. See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html)
for information about creating policies in Ranger.
    +To use Ranger for managing HAWQ authentication events, you must first install and register
several HAWQ JAR files on the Ranger Administration host. This one-time configuration establishes
connectivity to your HAWQ cluster from the Ranger Administration host. 
    +
    +The `hawq_acl_type` configuration parameter allows you to shift between managing access
policies through the HAWQ native interface or the Ranger policy manager. Ranger is initially
started started with the `hawq_acl_type` parameter set to `standalone.` After configuring
Ranger access policies, you set the `hawq_acl_type` configuration parameter to `ranger` to
enable Ranger policy management. 
    +
    +Once HAWQ Ranger is enabled, access to HAWQ resources is controlled by security policies
on Ranger. Access policies must be explicitly set for all groups and users, as Ranger has
no knowledge of any access policies set up in the HAWQ native interface and its default is
to disallow access. When first integrated, Ranger is only pre-populated with policies that
allow `gpadmin` superuser access to default resources. When Ranger is enabled, you cannot
manage HAWQ access  through its native interface. 
    --- End diff --
    
    "When Ranger authorization for HAWQ is enabled,"  
    
    i think the original text that was in place here looks good.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message