Repository: incubator-hawq-docs Updated Branches: refs/heads/feature/ranger-integration a16d160cc -> 5ef01c775
Reconcile Feature/ranger integration branches (closes #105) Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/5ef01c77 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/5ef01c77 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/5ef01c77 Branch: refs/heads/feature/ranger-integration Commit: 5ef01c77565b8fce5dbfe48ff836a53df68c468a Parents: a16d160 Author: Jane Beckman <[email protected]> Authored: Thu Mar 30 12:30:55 2017 -0700 Committer: David Yozie <[email protected]> Committed: Thu Mar 30 12:30:55 2017 -0700 ---------------------------------------------------------------------- .../ranger-integration-config.html.md.erb | 44 ++++++++++++++++---- markdown/ranger/ranger-overview.html.md.erb | 2 +- 2 files changed, 36 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/5ef01c77/markdown/ranger/ranger-integration-config.html.md.erb ---------------------------------------------------------------------- diff --git a/markdown/ranger/ranger-integration-config.html.md.erb b/markdown/ranger/ranger-integration-config.html.md.erb index 0a695de..8b687b5 100644 --- a/markdown/ranger/ranger-integration-config.html.md.erb +++ b/markdown/ranger/ranger-integration-config.html.md.erb @@ -30,9 +30,11 @@ The Ranger Administrative UI is installed when you install HDP. You configure th Installing or upgrading to HAWQ 2.2.0 installs the HAWQ Ranger Plug-in Service, but neither configures nor registers the plug-in. -In order to use Ranger for managing HAWQ authentication events, you must first install and register several HAWQ JAR files on the Ranger Administration host. This is a one-time configuration that establishes connectivity to your HAWQ cluster from the Ranger Administration host. After you have registered the JAR files, you enable or disable Ranger integration in HAWQ by setting the `hawq_acl_type` configuration parameter. After Ranger integration is enabled, you must use the Ranger interface to create all security policies to manage access to HAWQ resources. Ranger is pre-populated only with several policies to allow `gpadmin` superuser access to default resources. See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html) for information about creating policies in Ranger. +To use Ranger for managing HAWQ authentication events, you must first install and register several HAWQ JAR files on the Ranger Administration host. This one-time configuration establishes connectivity to your HAWQ cluster from the Ranger Administration host. + +After registering the JAR files, you enable or disable Ranger integration in HAWQ by setting the `hawq_acl_type` configuration parameter. After Ranger integration is enabled, you must use the Ranger interface to create all security policies to manage access to HAWQ resources. Ranger is only pre-populated with policies to allow `gpadmin` superuser access to default resources. See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html) for information about creating policies in Ranger. When Ranger is enabled, all access to HAWQ resources is controlled by security policies on Ranger. -The following procedures describe each configuration activity. +Use the following procedures to register the HAWQ Ranger Plug-in Service and enable Ranger authorization for HAWQ.. ## <a id="prereq"></a>Prerequisites To use HAWQ Ranger integration, install a compatible Hadoop distribution and Apache Ranger 0.6. You must also have `admin` access to the **Ranger Admin UI**. @@ -69,13 +71,25 @@ To use HAWQ Ranger integration, install a compatible Hadoop distribution and Apa Log in to the HAWQ master node as the `gpadmin` user and execute the `enable-ranger-plugin.sh` script. Ensure \<hawq_master\> identifies the fully qualified domain name of the HAWQ master node. For example: ``` bash + sudo su - gpadmin gpadmin@master$ cd /usr/local/hawq/ranger/bin gpadmin@master$ ./enable-ranger-plugin.sh -r ranger_host:6080 -u admin -p admin -h hawq_master:5432 -w gpadmin -q gpadmin ``` + ***Note*** You can also enter the short form of the command: `./enable-ranger-plugin.sh -r` and the script will prompt you for entries. + When the script completes, the default HAWQ service definition is registered in the Ranger Admin UI. This service definition is named `hawq`. -6. Edit the `pg_hba.conf` file on the HAWQ master node to configure HAWQ access for \<hawq_user\> on the \<ranger-admin-node\>. For example, you would add an entry similar to the following for the example `enable-ranger-plugin.sh` call above: +6. Locate the `pg_hba.conf` file on the HAWQ master node, for example: + + ``` bash + gpadmin@master$ hawq config --show hawq_master_directory + GUC : hawq_master_directory + Value : /data/hawq/master + + ``` + + Edit the `pg_hba.conf` file on the HAWQ master node to configure HAWQ access for \<hawq_user\> on the \<ranger-admin-node\>. For example, you would add an entry similar to the following for the example `enable-ranger-plugin.sh` call above: ``` bash host all gpadmin ranger_host/32 trust @@ -87,19 +101,31 @@ To use HAWQ Ranger integration, install a compatible Hadoop distribution and Apa gpadmin@master$ hawq stop cluster --reload ``` -7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari, click the edit icon associated with the `hawq` service definition. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully. If it fails to connect, edit your HAWQ connectivity properties directly in the Ranger Admin UI and re-test the connection. +7. When setup is complete, use the fully-qualified domain name to log into the Ambari server. Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login interface. + +8. Log into the Ranger Access Manager. You will see a list of icons under the Service Manager. Click the **Edit** icon on the right, under the HAWQ service icon. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected successfully. If it fails to connect, you may need to edit your Ranger connection in `pg_hba.conf,` perform + + ``` bash + gpadmin@masterhawq stop cluster --reload + ``` + and re-test the connection. ## <a id="enable"></a>Step 2: Configure HAWQ to Use Ranger Policy Management -The default Ranger service definition for HAWQ assigns the HAWQ user (typically `gpadmin`) all privileges to all objects. +The default Ranger service definition for HAWQ assigns the HAWQ administrator (typically `gpadmin`) all privileges to all objects. -**Warning**: If you enable HAWQ-Ranger authorization with only the default HAWQ service policies defined, other HAWQ users will have no privileges, even for HAWQ objects (databases, tables) that they own. - -1. Select the **HAWQ** Service, and then select the **Configs** tab. +Once the connection between HAWQ and Ranger is configured, you can either set up policies for the HAWQ users according to the procedures in [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html) or enable Ranger with only the default policies. + +**Note**: Any authorization defined using GRANT commands will no longer apply after enabling HAWQ Ranger. Only gpadmin access is allowed when Ranger is first initialized. + +1. On Ambari, select the **HAWQ** Service, and then select the **Configs** tab. 2. Select the **Advanced** tab, and then expand **Custom hawq-site**. 4. Click **Add Property...** and add the new property, `hawq_acl_type=ranger` property. (If the property already exists, change its value from `standalone` (the default) to `ranger`.) 5. Click **Save** to save your changes. 6. Select **Service Actions > Restart All** and confirm that you want to restart the HAWQ cluster. -## <a id="caching"></a>Changing the Frequency of Policy Caching + +## <a id="caching"></a>Changing the Frequency of Policy Caching + +You may wish to change the frequency of policy caching to suit your individual needs. \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/5ef01c77/markdown/ranger/ranger-overview.html.md.erb ---------------------------------------------------------------------- diff --git a/markdown/ranger/ranger-overview.html.md.erb b/markdown/ranger/ranger-overview.html.md.erb index b038461..56b45be 100644 --- a/markdown/ranger/ranger-overview.html.md.erb +++ b/markdown/ranger/ranger-overview.html.md.erb @@ -27,7 +27,7 @@ HAWQ supports using Apache Ranger for authorizing user access to HAWQ resources. ## <a id="arch"></a>Policy Management Architecture Each HAWQ installation includes a Ranger plug-in service to support Ranger Policy management. The Ranger plug-in service implements the Ranger REST API to bridge all requests between the Ranger Policy Manager and a HAWQ instance. -HAWQ also provides a JAR library that enables the Ranger Policy Manager to lookup HAWQ metadata (the names of databases, schemas, tables, and so forth) to populate the user interface and assist in creating new policies. This JAR uses a JDBC connection to HAWQ, and requires a one-time registration with the Ranger Policy Manager. See [Configuring HAWQ to use Ranger Policy Management](ranger-integration-config.html#enable). +HAWQ also provides a JAR library that enables the Ranger Policy Manager to lookup HAWQ metadata (the names of databases, schemas, tables, and so forth) to populate the user interface and assist in creating new policies. This JAR uses a JDBC connection to HAWQ, and requires a one-time registration with the Ranger Policy Manager. A single configuration parameter, `hawq_acl_type` determines whether HAWQ defers all policy management to Ranger via the plug-in service, or whether HAWQ handles authorization natively using catalog tables. By default, HAWQ uses SQL commands to create all access policies, and the policy information is stored in catalog tables. When you enable Ranger integration for policy management, any authorization policies that you have configured in HAWQ using SQL no longer apply to your installation; you must create new policies using the Ranger interface. See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html)
