hawq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dyozie <...@git.apache.org>
Subject [GitHub] incubator-hawq-docs pull request #105: Reconcile Feature/ranger integration ...
Date Thu, 30 Mar 2017 15:15:28 GMT
Github user dyozie commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108954206
  
    --- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
    @@ -84,19 +105,28 @@ The following procedures describe each configuration activity.
         gpadmin@master$ hawq stop cluster --reload
         ```
     
    -7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari,
click the edit icon associated with the `hawq` service definition. Ensure that the Active
Status is set to Enabled, and click the **Test Connection** button. You should receive a message
that Ranger connected succesfully.  If it fails to connect, edit your HAWQ connectivity properties
directly in the Ranger Admin UI and re-test the connection.
    +7.  When setup is complete, use the fully-qualified domain name to log into the Ambari
server. Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ
Ambari interface. Use the Quick Links to access Ranger. This link will take you to the Ranger
Login interface. 
    +
    +8.  Log into the Ranger Access Manager. You will see a list of icons under the Service
Manager. Click the click the icon marked `hawq` under the HAWQ icon to validate connectivity
between Ranger and HAWQ. A list of HAWQ policies will appear. 
    +
    +9.  Now return to the Service Manager and click the Edit icon on the right, under the
HAWQ service icon. Ensure that the Active Status is set to Enabled, and click the **Test Connection**
button. You should receive a message that Ranger connected succesfully.  If it fails to connect,
you may need to edit your Ranger connection in  `pg_hba.conf,` perform 
    +  ``` bash
    +   hawq restart cluster
    +   ```
    +  and re-test the connection.
     
     
     ## <a id="enable"></a>Step 2: Configure HAWQ to Use Ranger Policy Management
     
    -The default Ranger service definition for HAWQ assigns the HAWQ user (typically `gpadmin`)
all privileges to all objects. 
    +The default Ranger service definition for HAWQ assigns the HAWQ administrator (typically
`gpadmin`) all privileges to all objects. 
     
    -**Warning**: If you enable HAWQ-Ranger authorization with only the default HAWQ service
policies defined, other HAWQ users will have no privileges, even for HAWQ objects (databases,
tables) that they own.
    -
    -1. Select the **HAWQ** Service, and then select the **Configs** tab.
    +Once the connection between HAWQ and Ranger is configured, you can either set up policies
for the HAWQ users according to the procedures in [Creating HAWQ Authorization Policies in
Ranger](ranger-policy-creation.html) or enable Ranger with only the default policies. 
    --- End diff --
    
    I'm not sure it should be a warning, per se.  I think what should be called out here is
that if they had created any additional authorizations using `GRANT` commands, they will no
longer apply after enabling ranger, and HAWQ goes back to its initial state of gpadmin-only
access.  


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message