Sorry there is something wrong with the format. Here is the revised version.
Hi All, We propose the following Scope for the first release of HAWQ Ranger integration. Please comment and provide feedback. Thanks a lot! In Scope - Basic objects including non-heap table check be kept in Ranger side, includes (Can Refer to detailed explanation for Grant command in HAWQ document http://hdb.docs.pivotal.io/211/hawq/reference/sql/GRANT.html ): - Database: Create Schema(Short as Create), Connect database (Short as Connect), and Create Temp Table (Short as Temp). - Tablespace: Create table and database under this tablespace (Short as Create) - Schema: create table or select from table under this schema(Short as Usage), Create table under this Schema (Short as Create) - Table: Select from this table (Short as Select), Insert into this table(Short as Insert) - Sequence: running select from this sequence(Short as Select), update the value for this sequence (Short as Update) - Function: Execution of this function (Short as Execute) - Language: Usage of this language (Short as Usage) - Protocol: Select data through this protocol(Short as Select), Insert data through this protocol(Short as Insert) - Super user for HDFS data check in Ranger side same as 1), while below checking kept in HAWQ side. Below is the behaviors which are strictly restricted to superuser. - create cast: when function is NULL - create filespace - create/remove/alter foreign-data wrapper - create function: For untrusted language, only superuser can create function. - create/drop procedural language - create/drop/alter resource queue - create tablespace: It means the privilege to create tablespace, and only superuser can do. But the CREATE privilege for tablespace means creating database/table/index... in tablespace, which is managed by Ranger. - create external table: Only superuser can create EXECUTE external web table or create an external table with a file protocol (but in HAWQ 2.0, the file protocol is not supported any more). - create operator class - copy: Only superuser can copy to or from a file. When Ranger is configured, the superuser can not run copy to or from when he doesn't have the privilege for that table select or insert. - alter state of system triggers - some build in functions, including - pg_logdir_ls - pg_ls_dir - pg_read_file - pg_reload_conf - pg_rotate_logfile - pg_signal_backend - pg_start_backup - pg_stat_file - pg_stat_get_activity - pg_stat_get_backend_activity_start - pg_stat_get_backend_activity - pg_stat_get_backend_client_addr - pg_stat_get_backend_client_port - pg_stat_get_backend_start - pg_stat_get_backend_waiting - pg_stop_backup - pg_switch_xlog - pg_stat_reset - Catalog table/system embedded function/owner check kept in HAWQ side - Forbid grant/revoke command for non-heap table in HAWQ once Ranger is configured - Documents for telling people if they firstly enable ranger and then don't want to use it, they need manually recreate all the policies of Ranger in HAWQ own side - Documents for how to enable Ranger in Ambari: Firstly set ranger off, init HAWQ master, then set ranger on, and then restart HAWQ cluster. Out of Scope for the first Release - Ambari modification: We just use Ambari's customized GUC for the first release instead of adding a new GUC, so no change from Ambari side - Kerberos/SSL connection from HAWQ to RPS and RPS to Ranger - HA: There are two levels of HA: Ranger Server HA and RPS HA. For Ranger Server HA, RPS needs to be designed to be tolerant for this; For RPS HA, HAWQ master and standby master should be able to connect to another RPS if one is down. - Catalog table/System embedded function/owner check in Ranger - Allow both Grant/Revoke command and Ranger side ACL control for the same objects such as non-heap table - Tool for converting all privileges defined in Ranger to HAWQ grant/revoke command - Tool for syncing HAWQ user information from LDAP - Ranger check for drop table/create database Best Regards, Lili 2017-01-25 16:55 GMT+08:00 Lili Ma <[email protected]>: > Hi All, > > > We propose the following Scope for the first release of HAWQ Ranger > integration. Please comment and provide feedback. Thanks a lot! > > > In Scope > > 1. > > Basic objects including non-heap table check be kept in Ranger side, > includes (Can Refer to detailed explanation for Grant command in HAWQ > document http://hdb.docs.pivotal.io/211/hawq/reference/sql/GRANT.html > ): > 1. > > Database: Create Schema(Short as Create), Connect database (Short > as Connect), and Create Temp Table (Short as Temp). > 2. > > Tablespace: Create table and database under this tablespace (Short > as Create) > 3. > > Schema: create table or select from table under this schema(Short > as Usage), Create table under this Schema (Short as Create) > 4. > > Table: Select from this table (Short as Select), Insert into this > table(Short as Insert) > 5. > > Sequence: running select from this sequence(Short as Select), > update the value for this sequence (Short as Update) > 6. > > Function: Execution of this function (Short as Execute) > 7. > > Language: Usage of this language (Short as Usage) > 8. > > Protocol: Select data through this protocol(Short as Select), > Insert data through this protocol(Short as Insert) > 2. > > Super user for HDFS data check in Ranger side same as 1), while below > checking kept in HAWQ side. Below is the behaviors which are strictly > restricted to superuser. > 1. > > create cast: when function is NULL > 2. > > create filespace > 3. > > create/remove/alter foreign-data wrapper > 4. > > create function: For untrusted language, only superuser can create > function. > 5. > > create/drop procedural language > 6. > > create/drop/alter resource queue > 7. > > create tablespace: It means the privilege to create tablespace, and > only superuser can do. But the CREATE privilege for tablespace means > creating database/table/index... in tablespace, which is managed by > Ranger. > 8. > > create external table: Only superuser can create EXECUTE external > web table or create an external table with a file protocol (but in HAWQ > 2.0, the file protocol is not supported any more). > 9. > > create operator class > 10. > > copy: Only superuser can copy to or from a file. When Ranger is > configured, the superuser can not run copy to or from when he doesn't > have > the privilege for that table select or insert. > 11. > > alter state of system triggers > 12. > > some build in functions, including > - > > pg_logdir_ls > - > > pg_ls_dir > - > > pg_read_file > - > > pg_reload_conf > - > > pg_rotate_logfile > - > > pg_signal_backend > - > > pg_start_backup > - > > pg_stat_file > - > > pg_stat_get_activity > - > > pg_stat_get_backend_activity_start > - > > pg_stat_get_backend_activity > - > > pg_stat_get_backend_client_addr > - > > pg_stat_get_backend_client_port > - > > pg_stat_get_backend_start > - > > pg_stat_get_backend_waiting > - > > pg_stop_backup > - > > pg_switch_xlog > - > > pg_stat_reset > 3. > > Catalog table/system embedded function/owner check kept in HAWQ side > 4. > > Forbid grant/revoke command for non-heap table in HAWQ once Ranger is > configured > 5. > > Documents for telling people if they firstly enable ranger and then > don't want to use it, they need manually recreate all the policies of > Ranger in HAWQ own side > 6. > > Documents for how to enable Ranger in Ambari: Firstly set ranger off, > init HAWQ master, then set ranger on, and then restart HAWQ cluster. > > > Out of Scope for the first Release > > 1. > > Ambari modification: We just use Ambari's customized GUC for the first > release instead of adding a new GUC, so no change from Ambari side > 2. > > Kerberos/SSL connection from HAWQ to RPS and RPS to Ranger > 3. > > HA: There are two levels of HA: Ranger Server HA and RPS HA. For > Ranger Server HA, RPS needs to be designed to be tolerant for this; For RPS > HA, HAWQ master and standby master should be able to connect to another RPS > if one is down. > 4. > > Catalog table/System embedded function/owner check in Ranger > 5. > > Allow both Grant/Revoke command and Ranger side ACL control for the > same objects such as non-heap table > 6. > > Tool for converting all privileges defined in Ranger to HAWQ > grant/revoke command > 7. > > Tool for syncing HAWQ user information from LDAP > 8. > > Ranger check for drop table/create database > > > Best Regards, > Lili >
