incorporate frank s madlib comments
Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/6be57c3b Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/6be57c3b Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/6be57c3b Branch: refs/heads/master Commit: 6be57c3bfed9399c6ec2bab2149f7250cc8878d9 Parents: e85f3a4 Author: Lisa Owen <[email protected]> Authored: Mon Apr 10 16:12:41 2017 -0700 Committer: Lisa Owen <[email protected]> Committed: Mon Apr 10 16:12:41 2017 -0700 ---------------------------------------------------------------------- markdown/ranger/madlib-ranger.html.md.erb | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/6be57c3b/markdown/ranger/madlib-ranger.html.md.erb ---------------------------------------------------------------------- diff --git a/markdown/ranger/madlib-ranger.html.md.erb b/markdown/ranger/madlib-ranger.html.md.erb index 8f6d55a..f074c30 100644 --- a/markdown/ranger/madlib-ranger.html.md.erb +++ b/markdown/ranger/madlib-ranger.html.md.erb @@ -22,21 +22,19 @@ under the License. --> -You can use MADlib, an open source library for in-database analytics, with your HAWQ installation. MADlib functions typically operate on source, output, and model tables. When Ranger is enabled for HAWQ authorization, you will need to provide access to all MADLib-related databases, schemas, tables, and functions to the appropriate users. +You can use MADlib, an open source library for in-database analytics, with your HAWQ installation. MADlib functions typically operate on source, output, and model tables. When Ranger is enabled for HAWQ authorization, you will need to explicitly provide access to all MADlib-related databases, schemas, tables, and functions to the appropriate users. -Consider the following when setting up HAWQ policies for MADlib access: +Consider the following when setting up HAWQ Ranger policies for MADlib access: -- Assign `temp` permission to the database on which users will run MADlib functions. -- MADlib users often share their output tables. If this is the case in your deployment, create a shared schema dedicated to output tables, assigning `usage-schema` and `create` privileges for all MADlib users to this shared schema. -- Assign `create-schema` database permission to those MADlib users that do not choose to share their output tables. +- Assign `temp` permission to the database(s) on which users will run MADlib functions. This permission is required because MADlib creates temporary tables at runtime. +- MADlib users often share their output tables. If this is the case in your deployment, create a shared schema dedicated to output tables, assigning `usage-schema` and `create` privileges to this shared schema to all MADlib users. + - When calling a MADlib function, prepend the output table name with the shared schema name; for example, `shared_schema.output_table1`. This ensures that all tables created by the MADlib function (model summary tables, dictionary tables, etc.) are written to the same, accessible shared schema. + - MADlib sometimes creates output tables in addition to the one specified by the user. Prepending the shared schema name to the output table name ensures that these MADlib-generated output tables are accessible. +- Assign the `create-schema` database permission to those MADlib users who choose not to share their output tables. This permits those users to create private schemas for their MADlib output tables, rendering them inaccessible to other users. - `madlib` Schema-Level Permissions + - By default, MADlib is installed in a schema named `madlib`. You can choose to install MADlib in a different schema. References to `madlib` in the list below apply to the schema in which you installed MADlib. - Assign `usage-schema` and `create` privileges to the `madlib` schema. - Assign `execute` permissions on all functions within the `madlib` schema, including any functions called within. - Assign `insert` and `select` permissions to all tables within the `madlib` schema. - Assign the `usage-schema` and `create` permissions for the current schema, and any schema in which the source, output, and model tables may reside. - -- Function-Specific Permissions - - Assign `insert` and `select` permissions for the source, output, and model tables. - - Assign `insert` and `select` permissions for the output \_summary and \__group tables. -
