deferring super-user events discussion to policy doc. Adding more clarifying info about non-HA support (closes #109)
Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/6358aa44 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/6358aa44 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/6358aa44 Branch: refs/heads/master Commit: 6358aa44fd57ee4edb0dac4a03b53b12b0974930 Parents: bb06233 Author: David Yozie <[email protected]> Authored: Mon Apr 3 09:50:51 2017 -0700 Committer: David Yozie <[email protected]> Committed: Mon Apr 3 09:50:51 2017 -0700 ---------------------------------------------------------------------- .../ranger-integration-config.html.md.erb | 187 ++++++++++--------- markdown/ranger/ranger-overview.html.md.erb | 2 +- 2 files changed, 95 insertions(+), 94 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/6358aa44/markdown/ranger/ranger-integration-config.html.md.erb ---------------------------------------------------------------------- diff --git a/markdown/ranger/ranger-integration-config.html.md.erb b/markdown/ranger/ranger-integration-config.html.md.erb index 3da8e78..a168df1 100644 --- a/markdown/ranger/ranger-integration-config.html.md.erb +++ b/markdown/ranger/ranger-integration-config.html.md.erb @@ -21,17 +21,17 @@ specific language governing permissions and limitations under the License. --> -Your HAWQ 2.2.0 installation includes the following HAWQ-related Ranger components: - -- Ranger Administrative UI -- HAWQ Ranger Plug-in Service - -The Ranger Administrative UI is installed when you install HDP. You configure the Ranger service itself through Ambari. You configure HAWQ-Ranger authorization policies through the Ranger Administrative UI, which you can access at `http://<ranger-admin-node>:6080`. - -Installing or upgrading to HAWQ 2.2.0 installs the HAWQ Ranger Plug-in Service, but neither configures nor registers the plug-in. - -To use Ranger for managing HAWQ authentication events, you must first install and register several HAWQ JAR files on the Ranger Administration host. This one-time configuration establishes connectivity to your HAWQ cluster from the Ranger Administration host. - +Your HAWQ 2.2.0 installation includes the following HAWQ-related Ranger components: + +- Ranger Administrative UI +- HAWQ Ranger Plug-in Service + +The Ranger Administrative UI is installed when you install HDP. You configure the Ranger service itself through Ambari. You configure HAWQ-Ranger authorization policies through the Ranger Administrative UI, which you can access at `http://<ranger-admin-node>:6080`. + +Installing or upgrading to HAWQ 2.2.0 installs the HAWQ Ranger Plug-in Service, but neither configures nor registers the plug-in. + +To use Ranger for managing HAWQ authentication events, you must first install and register several HAWQ JAR files on the Ranger Administration host. This one-time configuration establishes connectivity to your HAWQ cluster from the Ranger Administration host. + After registering the JAR files, you enable or disable Ranger integration in HAWQ by setting the `hawq_acl_type` configuration parameter. When Ranger is enabled, all access to HAWQ resources is controlled through Ranger security policies. The HAWQ Ranger Plug-in pre-populates Ranger with HAWQ policies to allow `gpadmin` superuser access to all resources. See [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html) for information about creating policies in Ranger. Use the following procedures to register the HAWQ Ranger Plug-in Service and enable Ranger authorization for HAWQ. @@ -40,39 +40,40 @@ Use the following procedures to register the HAWQ Ranger Plug-in Service and ena To use HAWQ Ranger integration, install a compatible Hadoop distribution and Apache Ranger 0.6. You must also have `admin` access to the **Ranger Admin UI**. ## <a id="jar"></a>Step 1: Install Ranger Connectivity to HAWQ -1. `ssh` into the Ranger Administration host as a user with root privileges: +1. `ssh` into the Ranger Administration host as a user with root privileges: ``` bash $ ssh root@<ranger-admin-node> root@ranger-admin-node$ ``` -2. Create the directory for the HAWQ JAR files: +2. Create the directory for the HAWQ JAR files: ``` bash root@ranger-admin-node$ cd /usr/hdp/current/ranger-admin/ews/webapp/WEB-INF/classes/ranger-plugins root@ranger-admin-node$ mkdir hawq ``` -3. Copy the necessary HAWQ JAR files (`postgresql-9.1-901-1.jdbc4.jar` and `ranger-plugin-admin-2.2.0.0.jar`) from the HAWQ master node to the new directory: +3. Copy the necessary HAWQ JAR files (`postgresql-9.1-901-1.jdbc4.jar` and `ranger-plugin-admin-2.2.0.0.jar`) from the HAWQ master node to the new directory: ``` bash root@ranger-admin-node$ scp <hawq-master>:/usr/local/hawq/ranger/lib/*.jar ./hawq ``` -4. Change the ownership of the new folder and JAR files to the `ranger` user: +4. Change the ownership of the new folder and JAR files to the `ranger` user: ``` bash root@ranger-admin-node$ chown -R ranger:ranger hawq ``` -5. The `enable-ranger-plugin.sh` script configures Ranger connectivity to your HAWQ cluster. The command has the syntax: +5. The `enable-ranger-plugin.sh` script configures Ranger connectivity to your HAWQ cluster. The command has the syntax: ``` pre enable-ranger-plugin.sh -r <ranger_admin_node>:<ranger_port> -u <ranger_user> -p <ranger_password> -h <hawq_master>:<hawq_port> -w <hawq_user> -q <hawq_password> - ``` + ``` - Log in to the HAWQ master node as the `gpadmin` user and execute the `enable-ranger-plugin.sh` script. Ensure that \<hawq_master\> identifies the fully qualified domain name of the HAWQ master node. For example: + Log in to the HAWQ master node as the `gpadmin` user and execute the `enable-ranger-plugin.sh` script. Ensure that \<hawq_master\> identifies the fully qualified domain name of the HAWQ master node. For example: - ``` bash + ``` bash gpadmin@master$ cd /usr/local/hawq/ranger/bin gpadmin@master$ ./enable-ranger-plugin.sh -r ranger_host:6080 -u admin -p admin -h hawq_master:5432 -w gpadmin -q gpadmin + RANGER URL = ranger_host:6080 RANGER User = admin RANGER Password = [*****] @@ -84,82 +85,82 @@ To use HAWQ Ranger integration, install a compatible Hadoop distribution and Apa HAWQ service instance was not found in Ranger Admin, creating it. Updated POLICY_MGR_URL to http://ranger_host:6080 in /usr/local/hawq_2_2_0_0/ranger/etc/rps.properties Updated default value of JAVA_HOME to /usr/jdk64/jdk1.8.0_77 in /usr/local/hawq_2_2_0_0/ranger/etc/rps.properties - ``` - - **Note**: You can also enter the short form of the command: `./enable-ranger-plugin.sh -r` and the script will prompt you for entries. - - When the script completes, the default HAWQ service definition is registered in the Ranger Admin UI. This service definition is named `hawq`. - -6. Locate the `pg_hba.conf` file in the master directory of the HAWQ master node. To display the HAWQ master directory: - - ``` bash - gpadmin@master$ hawq config --show hawq_master_directory - GUC : hawq_master_directory - Value : /data/hawq/master - ``` - - Edit the `pg_hba.conf` file on the HAWQ master node to configure HAWQ access for \<hawq_user\> on the \<ranger-admin-node\>. For example, you would add an entry similar to the following for the example `enable-ranger-plugin.sh` call above: - - ``` bash - host all gpadmin ranger_host/32 trust - ``` - - And reload HAWQ configuration: - - ``` bash - gpadmin@master$ hawq stop cluster --reload - ``` - -7. After HAWQ reloads the configuration, use the fully-qualified domain name to log into the Ambari server. Click the **Ranger** link to display the Ranger Summary page, then select **Quick Links > Ranger Admin UI**. - -8. Log into the Ranger Access Manager. Click the **Edit** button for the **HAWQ** service. Ensure that the Active Status is set to Enabled, and click **Test Connection**. You should receive a message that Ranger connected successfully. If the connection fails, verify the `hawq` service Config Properties, as well as your `pg_hba.conf` entries, and re-test the connection. - -## <a id="enable"></a>Step 2: Configure HAWQ to Use Ranger Policy Management - -The default Ranger service definition for HAWQ assigns the HAWQ administrator (typically `gpadmin`) all privileges to all objects. - + ``` + + **Note**: You can also enter the short form of the command: `./enable-ranger-plugin.sh -r` and the script will prompt you for entries. + + When the script completes, the default HAWQ service definition is registered in the Ranger Admin UI. This service definition is named `hawq`. + +6. Locate the `pg_hba.conf` file in the master directory of the HAWQ master node. To display the HAWQ master directory: + + ``` bash + gpadmin@master$ hawq config --show hawq_master_directory + GUC : hawq_master_directory + Value : /data/hawq/master + ``` + + Edit the `pg_hba.conf` file on the HAWQ master node to configure HAWQ access for \<hawq_user\> on the \<ranger-admin-node\>. For example, you would add an entry similar to the following for the example `enable-ranger-plugin.sh` call above: + + ``` bash + host all gpadmin ranger_host/32 trust + ``` + + And reload HAWQ configuration: + + ``` bash + gpadmin@master$ hawq stop cluster --reload + ``` + +7. After HAWQ reloads the configuration, use the fully-qualified domain name to log into the Ambari server. Click the **Ranger** link to display the Ranger Summary page, then select **Quick Links > Ranger Admin UI**. + +8. Log into the Ranger Access Manager. Click the **Edit** button for the **HAWQ** service. Ensure that the Active Status is set to Enabled, and click **Test Connection**. You should receive a message that Ranger connected successfully. If the connection fails, verify the `hawq` service Config Properties, as well as your `pg_hba.conf` entries, and re-test the connection. + +## <a id="enable"></a>Step 2: Configure HAWQ to Use Ranger Policy Management + +The default Ranger service definition for HAWQ assigns the HAWQ administrator (typically `gpadmin`) all privileges to all objects. + Once the connection between HAWQ and Ranger is configured, you can either set up policies for the HAWQ users according to the procedures in [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html) or enable Ranger with only the default policies. - -**Note**: Any authorization defined using GRANT commands will no longer apply after enabling HAWQ Ranger. Only gpadmin access is allowed when Ranger is first initialized. - + +**Note**: Any authorization defined using GRANT commands will no longer apply after enabling HAWQ Ranger. Only gpadmin access is allowed when Ranger is first initialized. + 1. On Ambari, select the **HAWQ** Service, and then select the **Configs** tab. 2. Select the **Advanced** tab, and then expand **Custom hawq-site**. 4. Click **Add Property...** and add the new property, `hawq_acl_type=ranger` property. (If the property already exists, change its value from `standalone` (the default) to `ranger`.) 5. Click **Save** to save your changes. -6. Select **Service Actions > Restart All** and confirm that you want to restart the HAWQ cluster. - - -## <a id="customconfig"></a> Custom Configuration - -Configuration files for the HAWQ Ranger Plug-in Service are located in the `$GPHOME/ranger/etc` directory. These files include: - -| File | Description | -|-------------|---------------------------| -| ranger-hawq-audit.xml | HAWQ Ranger audit-related configuration, including the audit provider (log4j, Solr, HDFS) and provider-specific configuration | -| ranger-hawq-security.xml | HAWQ Ranger service configuration, including the policy change polling interval | -| rps.properties | HAWQ Ranger deployment-related configuration, including the HAWQ Ranger Plug-in Service port definition and JVM parameters| - -Any configuration changes you make after you have registered the HAWQ Ranger Plug-in require a restart of the service. You can either restart the HAWQ cluster or restart just the HAWQ Ranger Plug-in Service: - -``` shell -gpadmin@master$ /usr/local/hawq/ranger/bin/rps.sh stop -gpadmin@master$ /usr/local/hawq/ranger/bin/rps.sh start -``` - -### <a id="caching"></a>Changing the Frequency of Policy Caching - -The default polling interval for HAWQ Ranger Plug-in Service policy updates is 30 seconds. To increase or decrease this value, update the `ranger.plugin.hawq.policy.pollIntervalMs` property setting in the `ranger-hawq-security.xml` file: - -<pre> -<property> - <name>ranger.plugin.hawq.policy.pollIntervalMs</name> - <b><value>30000</value></b> - <description> - How often to poll for changes in policies? - </description> -</property> -</pre> - -Provide a value in milliseconds. - -You must restart the HAWQ Ranger Plug-in Service as described above after updating the polling interval. +6. Select **Service Actions > Restart All** and confirm that you want to restart the HAWQ cluster. + + +## <a id="customconfig"></a> Custom Configuration + +Configuration files for the HAWQ Ranger Plug-in Service are located in the `$GPHOME/ranger/etc` directory. These files include: + +| File | Description | +|-------------|---------------------------| +| ranger-hawq-audit.xml | HAWQ Ranger audit-related configuration, including the audit provider (log4j, Solr, HDFS) and provider-specific configuration | +| ranger-hawq-security.xml | HAWQ Ranger service configuration, including the policy change polling interval | +| rps.properties | HAWQ Ranger deployment-related configuration, including the HAWQ Ranger Plug-in Service port definition and JVM parameters| + +Any configuration changes you make after you have registered the HAWQ Ranger Plug-in require a restart of the service. You can either restart the HAWQ cluster or restart just the HAWQ Ranger Plug-in Service: + +``` shell +gpadmin@master$ /usr/local/hawq/ranger/bin/rps.sh stop +gpadmin@master$ /usr/local/hawq/ranger/bin/rps.sh start +``` + +### <a id="caching"></a>Changing the Frequency of Policy Caching + +The default polling interval for HAWQ Ranger Plug-in Service policy updates is 30 seconds. To increase or decrease this value, update the `ranger.plugin.hawq.policy.pollIntervalMs` property setting in the `ranger-hawq-security.xml` file: + +<pre> +<property> + <name>ranger.plugin.hawq.policy.pollIntervalMs</name> + <b><value>30000</value></b> + <description> + How often to poll for changes in policies? + </description> +</property> +</pre> + +Provide a value in milliseconds. + +You must restart the HAWQ Ranger Plug-in Service as described above after updating the polling interval. http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/6358aa44/markdown/ranger/ranger-overview.html.md.erb ---------------------------------------------------------------------- diff --git a/markdown/ranger/ranger-overview.html.md.erb b/markdown/ranger/ranger-overview.html.md.erb index 11ec69a..c728105 100644 --- a/markdown/ranger/ranger-overview.html.md.erb +++ b/markdown/ranger/ranger-overview.html.md.erb @@ -36,7 +36,7 @@ The Ranger plug-in service caches Ranger policies locally on each HAWQ node to a ## <a id="limitations"></a>Limitations of Ranger Policy Management in HAWQ 2.2.0.0-incubating Neither Kerberos authentication nor SSL encryption is supported between a HAWQ node and the Ranger plug-in service, or between the plug-in service and the Ranger Policy Manager. -The Ranger plug-in service is not compatible Highly-Available HAWQ deployments. Should you need to activate the standby master in your HAWQ cluster, you must manually update the HAWQ Ranger service definition with the new master node connection information. +The Ranger plug-in service is not compatible with Highly-Available HAWQ deployments. Should you need to activate the standby master in your HAWQ cluster, you must manually update the HAWQ Ranger service definition with the new master node connection information. HAWQ supports setting user-level authorization policies with Ranger. These correspond to access policies that would typically be applied using the SQL `GRANT` command, and include authorization events for:
