Return-Path: <dev-return-7115-archive-asf-public=cust-asf.ponee.io@hawq.incubator.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id EA01A200CC4
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 13 Jul 2017 10:30:04 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id E895916BAA9; Thu, 13 Jul 2017 08:30:04 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 13C9016BAA5
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 13 Jul 2017 10:30:03 +0200 (CEST)
Received: (qmail 13389 invoked by uid 500); 13 Jul 2017 08:30:03 -0000
Mailing-List: contact dev-help@hawq.incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@hawq.incubator.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@hawq.incubator.apache.org>
List-Post: <mailto:dev@hawq.incubator.apache.org>
List-Id: <dev.hawq.incubator.apache.org>
Reply-To: dev@hawq.incubator.apache.org
Delivered-To: mailing list dev@hawq.incubator.apache.org
Received: (qmail 13378 invoked by uid 99); 13 Jul 2017 08:30:02 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Jul 2017 08:30:02 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 60030C061C
	for <dev@hawq.apache.org>; Thu, 13 Jul 2017 08:30:02 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -4.021
X-Spam-Level: 
X-Spam-Status: No, score=-4.021 tagged_above=-999 required=6.31
	tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_HI=-5,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
	RP_MATCHES_RCVD=-0.001] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id YmQnzZVeScE7 for <dev@hawq.apache.org>;
	Thu, 13 Jul 2017 08:30:00 +0000 (UTC)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with SMTP id D37B75F5C6
	for <dev@hawq.incubator.apache.org>; Thu, 13 Jul 2017 08:29:59 +0000 (UTC)
Received: (qmail 13329 invoked by uid 99); 13 Jul 2017 08:29:59 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Jul 2017 08:29:59 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id 42ACADFC33; Thu, 13 Jul 2017 08:29:59 +0000 (UTC)
From: interma <git@git.apache.org>
To: dev@hawq.incubator.apache.org
Reply-To: dev@hawq.incubator.apache.org
References: <git-pr-128-incubator-hawq-docs@git.apache.org>
In-Reply-To: <git-pr-128-incubator-hawq-docs@git.apache.org>
Subject: [GitHub] incubator-hawq-docs pull request #128: HAWQ-1479 - doc ranger kerberos integ...
Content-Type: text/plain
Message-Id: <20170713082959.42ACADFC33@git1-us-west.apache.org>
Date: Thu, 13 Jul 2017 08:29:59 +0000 (UTC)
archived-at: Thu, 13 Jul 2017 08:30:05 -0000

Github user interma commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/128#discussion_r127154422
  
    --- Diff: markdown/ranger/ranger-kerberos.html.md.erb ---
    @@ -0,0 +1,209 @@
    +---
    +title: HAWQ Ranger Kerberos Integration
    +---
    +
    +<!--
    +Licensed to the Apache Software Foundation (ASF) under one
    +or more contributor license agreements.  See the NOTICE file
    +distributed with this work for additional information
    +regarding copyright ownership.  The ASF licenses this file
    +to you under the Apache License, Version 2.0 (the
    +"License"); you may not use this file except in compliance
    +with the License.  You may obtain a copy of the License at
    +
    +  http://www.apache.org/licenses/LICENSE-2.0
    +
    +Unless required by applicable law or agreed to in writing,
    +software distributed under the License is distributed on an
    +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    +KIND, either express or implied.  See the License for the
    +specific language governing permissions and limitations
    +under the License.
    +-->
    +
    +When you have enabled Ranger Authorization for HAWQ, your HAWQ installation includes the Ranger Administrative UI and HAWQ Ranger Plug-in Service.
    +
    +Specific HAWQ Ranger configuration is required when Kerberos authentication is enabled for HAWQ or for Ranger. You must configure Kerberos support for:
    +
    +- HAWQ resource lookup by the Ranger Administration host during HAWQ policy definition
    +- HAWQ Ranger Plug-in Service communication with the Ranger Administration host for policy refresh
    +
    +Use the following procedures to configure Kerberos support for your Ranger-authorized HAWQ cluster.
    +
    +## Prerequisites <a id="kerb_ranger_prereq"></a>
    +
    +Before you configure Kerberos for your Ranger-authorized HAWQ cluster, ensure that you have:
    +
    +- Installed Java 1.7.0\_17 or later on all nodes in your cluster. Java 1.7.0_17 is required to use Kerberos-authenticated JDBC on Red Hat Enterprise Linux 6.x or 7.x.
    +- (Non-OpenJDK Java installations) Installed the Java Cryptography Extension (JCE) on all nodes in your cluster. 
    +    - If you manage your cluster with Ambari, you installed the JCE on each node before you enabled Kerberos with the Ambari **Kerberos Security Wizard**. 
    +    - If you manage your cluster from the command line, you must manually install the extension on these systems.
    +- Noted the host name or IP address of your Ranger Administration host (\<ranger-admin-node\>) and HAWQ master (\<master\>) nodes.
    +- Identified an existing Kerberos Key Distribution Center (KDC) or set up your KDC as described in [Install and Configure a Kerberos KDC Server](../clientaccess/kerberos.html#task_setup_kdc).
    +    - Note the host name or IP address of your KDC (\<kdc-server\>).
    +    - Note the name of the Kerberos \<realm\> in which your cluster resides.
    +- Enabled Ranger Authorization for HAWQ. See [Configuring HAWQ to use Ranger Policy Management](ranger-integration-config.html).
    +
    +
    +## Configure Ranger for Kerberized HAWQ<a id="ra2hawq_kerb_cfg"></a>
    +
    +When you define HAWQ Ranger authorization policies, the Ranger Administration Host uses JDBC to connect to HAWQ during policy definition to look up policy resource names. When Kerberos user authentication is enabled for HAWQ, you must configure this connection for Kerberos.
    +
    +To configure Ranger access to a HAWQ cluster enabled with Kerberos user authentication, you must:
    +
    +- Identify an existing HAWQ administrative role or create a new HAWQ administrative role for Ranger lookup of HAWQ resources
    +- Create a Kerberos principal for the lookup role
    +- Update the Ranger HAWQ service definition
    +
    +### Procedure <a id="kerb_ra2hawq_proc"></a>
    +
    +Perform the following procedure to enable the Ranger Administration Host to look up resources in your kerberized HAWQ cluster. You will perform operations on the HAWQ \<master\>, \<ranger-admin-node\>, and \<kdc-server\> nodes.
    +
    +1. Log in to the HAWQ master node and set up your environment:
    +
    +    ``` shell
    +    $ ssh gpadmin@<master>
    +    gpadmin@master$ . /usr/local/hawq/greenplum_path.sh
    +    ```
    +
    +2. Identify an existing HAWQ administrative role or create a new HAWQ administrative role for Ranger resource lookup. For example, to create a new administrative role:
    +
    +    ``` shell
    +    gpadmin@master$ psql -c 'CREATE ROLE "rangerlookup_hawq" with LOGIN SUPERUSER;' 
    +    ```
    +   
    +    You may choose a different name for the Ranger lookup role.
    +
    +3. Log in to the KDC server system and generate a principal for the HAWQ `rangerlookup_hawq` role. Substitute your Kerberos \<realm\>. For example:
    +
    +    ``` shell
    +    $ ssh root@<kdc-server>
    +    root@kdc-server$ kadmin.local -q "addprinc -pw changeme rangerlookup_hawq@REALM.DOMAIN"
    +    ```
    +    
    --- End diff --
    
    After this step, user should validate the "rangerlookup_hawq" account:
    ```
    kinit rangerlookup_hawq
    psql -d postgres -p 5432 -U rangerlookup_hawq -h hawq-host
    # check whether connect hawq successfully
    ```
    
    So if there are somethings wrong, user can detect it earlier.



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---