@Jiali, very good questions! 1. If we want to use ranger, it must be from initial phase or shall we enable range certification when we already have a running database? Also similar for upgrade from non-ranger HAWQ to range supported HAWQ.In create user second part, if we only have gpadmin, how to mapping existing user ? Answer: We suggest using ranger from initial phase, say, in hawq init cluster. Whether using ranger should be configured in hawq-site.xml. If someone do want to switch from a non-ranger version to ranger version, we will provide user&policy migration tool to sync from HAWQ to Ranger, and from Ranger to HAWQ (It's offline migration). This is described in Future Work part of design doc. If this is a necessary, we can adjust priority for this item. For user management, we're investigating the feasibility of keeping gpadmin only, will consider the upgrade part in. Thanks for this:)
2. If we use ranger, "create user in LDAP" will be only entry for user creation? Will we still support "create user" in HAWQ? If yes, it will trigger sync when create user right? Answer: If use ranger, it makes sense to create user in third components such as LDAP, Unix System. I think we should not expose "create user" function of HAWQ to public. Since we need a centralized place to manage user information. The ideal phenomenon is that when you create a user in LDAP/Unix, the user information will automatically synced to both Ranger and HAWQ. 3. How to handling "drop user"? Will drop all related policy in Ranger?What about user in linux ldap? The same as Question 2. We should not allow "drop user" command if Ranger is configured. Thanks Lili On Fri, Jul 29, 2016 at 11:02 AM, Jiali Yao <[email protected]> wrote: > Good to see ranger in HAWQ. > > I have some questions: > 1. If we want to use ranger, it must be from initial phase or shall we > enable range certification when we already have a running database? Also > similar for upgrade from non-ranger HAWQ to range supported HAWQ.In create > user second part, if we only have gpadmin, how to mapping existing user ? > > 2. If we use ranger, "create user in LDAP" will be only entry for user > creation? Will we still support "create user" in HAWQ? If yes, it will > trigger sync when create user right? > > 3. How to handling "drop user"? Will drop all related policy in Ranger? > What about user in linux ldap? > > Thanks > > Jiali > > > On Thu, Jul 28, 2016 at 4:48 PM, Hubert Zhang <[email protected]> wrote: > > > @ruilong > > Q1:yes, you can tune the sync interval parameter in conf file of > UserSync, > > default is 5mins for Unix > > Q2: If Ranger is down, all the queries in HAWQ cannot get privilege and > > will be refused. New connections to HAWQ should be refused too. > > >
