Except non-heap tables, we also need to forbid grant/revoke command for build-in schemas and functions once ranger is configured.
On Wed, Jan 25, 2017 at 5:04 PM, Lili Ma <[email protected]> wrote: > Sorry there is something wrong with the format. Here is the revised > version. > > Hi All, > > > We propose the following Scope for the first release of HAWQ Ranger > integration. Please comment and provide feedback. Thanks a lot! > > > In Scope > > - Basic objects including non-heap table check be kept in Ranger side, > includes (Can Refer to detailed explanation for Grant command in HAWQ > document http://hdb.docs.pivotal.io/211/hawq/reference/sql/GRANT.html > ): > - Database: Create Schema(Short as Create), Connect database (Short as > Connect), and Create Temp Table (Short as Temp). > - Tablespace: Create table and database under this tablespace (Short > as Create) > - Schema: create table or select from table under this schema(Short > as Usage), Create table under this Schema (Short as Create) > - Table: Select from this table (Short as Select), Insert into this > table(Short as Insert) > - Sequence: running select from this sequence(Short as Select), > update the value for this sequence (Short as Update) > - Function: Execution of this function (Short as Execute) > - Language: Usage of this language (Short as Usage) > - Protocol: Select data through this protocol(Short as Select), > Insert data through this protocol(Short as Insert) > - Super user for HDFS data check in Ranger side same as 1), while below > checking kept in HAWQ side. Below is the behaviors which are strictly > restricted to superuser. > - create cast: when function is NULL > - create filespace > - create/remove/alter foreign-data wrapper > - create function: For untrusted language, only superuser can create > function. > - create/drop procedural language > - create/drop/alter resource queue > - create tablespace: It means the privilege to create tablespace, and > only superuser can do. But the CREATE privilege for tablespace means > creating database/table/index... in tablespace, which is managed > by Ranger. > - create external table: Only superuser can create EXECUTE external > web table or create an external table with a file protocol (but in > HAWQ > 2.0, the file protocol is not supported any more). > - create operator class > - copy: Only superuser can copy to or from a file. When Ranger is > configured, the superuser can not run copy to or from when he > doesn't have > the privilege for that table select or insert. > - alter state of system triggers > - some build in functions, including > - pg_logdir_ls > - pg_ls_dir > - pg_read_file > - pg_reload_conf > - pg_rotate_logfile > - pg_signal_backend > - pg_start_backup > - pg_stat_file > - pg_stat_get_activity > - pg_stat_get_backend_activity_start > - pg_stat_get_backend_activity > - pg_stat_get_backend_client_addr > - pg_stat_get_backend_client_port > - pg_stat_get_backend_start > - pg_stat_get_backend_waiting > - pg_stop_backup > - pg_switch_xlog > - pg_stat_reset > - Catalog table/system embedded function/owner check kept in HAWQ > side > - Forbid grant/revoke command for non-heap table in HAWQ once Ranger is > configured > - Documents for telling people if they firstly enable ranger and then > don't want to use it, they need manually recreate all the policies of > Ranger in HAWQ own side > - Documents for how to enable Ranger in Ambari: Firstly set ranger off, > init HAWQ master, then set ranger on, and then restart HAWQ cluster. > > Out of Scope for the first Release > > - Ambari modification: We just use Ambari's customized GUC for the first > release instead of adding a new GUC, so no change from Ambari side > - Kerberos/SSL connection from HAWQ to RPS and RPS to Ranger > - HA: There are two levels of HA: Ranger Server HA and RPS HA. For > Ranger Server HA, RPS needs to be designed to be tolerant for this; For > RPS > HA, HAWQ master and standby master should be able to connect to another > RPS > if one is down. > - Catalog table/System embedded function/owner check in Ranger > - Allow both Grant/Revoke command and Ranger side ACL control for the > same objects such as non-heap table > - Tool for converting all privileges defined in Ranger to HAWQ > grant/revoke command > - Tool for syncing HAWQ user information from LDAP > - Ranger check for drop table/create database > > Best Regards, > Lili > > 2017-01-25 16:55 GMT+08:00 Lili Ma <[email protected]>: > > > Hi All, > > > > > > We propose the following Scope for the first release of HAWQ Ranger > > integration. Please comment and provide feedback. Thanks a lot! > > > > > > In Scope > > > > 1. > > > > Basic objects including non-heap table check be kept in Ranger side, > > includes (Can Refer to detailed explanation for Grant command in HAWQ > > document http://hdb.docs.pivotal.io/211/hawq/reference/sql/GRANT.html > > ): > > 1. > > > > Database: Create Schema(Short as Create), Connect database (Short > > as Connect), and Create Temp Table (Short as Temp). > > 2. > > > > Tablespace: Create table and database under this tablespace (Short > > as Create) > > 3. > > > > Schema: create table or select from table under this schema(Short > > as Usage), Create table under this Schema (Short as Create) > > 4. > > > > Table: Select from this table (Short as Select), Insert into this > > table(Short as Insert) > > 5. > > > > Sequence: running select from this sequence(Short as Select), > > update the value for this sequence (Short as Update) > > 6. > > > > Function: Execution of this function (Short as Execute) > > 7. > > > > Language: Usage of this language (Short as Usage) > > 8. > > > > Protocol: Select data through this protocol(Short as Select), > > Insert data through this protocol(Short as Insert) > > 2. > > > > Super user for HDFS data check in Ranger side same as 1), while below > > checking kept in HAWQ side. Below is the behaviors which are strictly > > restricted to superuser. > > 1. > > > > create cast: when function is NULL > > 2. > > > > create filespace > > 3. > > > > create/remove/alter foreign-data wrapper > > 4. > > > > create function: For untrusted language, only superuser can create > > function. > > 5. > > > > create/drop procedural language > > 6. > > > > create/drop/alter resource queue > > 7. > > > > create tablespace: It means the privilege to create tablespace, and > > only superuser can do. But the CREATE privilege for tablespace > means > > creating database/table/index... in tablespace, which is managed > by Ranger. > > 8. > > > > create external table: Only superuser can create EXECUTE external > > web table or create an external table with a file protocol (but in > HAWQ > > 2.0, the file protocol is not supported any more). > > 9. > > > > create operator class > > 10. > > > > copy: Only superuser can copy to or from a file. When Ranger is > > configured, the superuser can not run copy to or from when he > doesn't have > > the privilege for that table select or insert. > > 11. > > > > alter state of system triggers > > 12. > > > > some build in functions, including > > - > > > > pg_logdir_ls > > - > > > > pg_ls_dir > > - > > > > pg_read_file > > - > > > > pg_reload_conf > > - > > > > pg_rotate_logfile > > - > > > > pg_signal_backend > > - > > > > pg_start_backup > > - > > > > pg_stat_file > > - > > > > pg_stat_get_activity > > - > > > > pg_stat_get_backend_activity_start > > - > > > > pg_stat_get_backend_activity > > - > > > > pg_stat_get_backend_client_addr > > - > > > > pg_stat_get_backend_client_port > > - > > > > pg_stat_get_backend_start > > - > > > > pg_stat_get_backend_waiting > > - > > > > pg_stop_backup > > - > > > > pg_switch_xlog > > - > > > > pg_stat_reset > > 3. > > > > Catalog table/system embedded function/owner check kept in HAWQ side > > 4. > > > > Forbid grant/revoke command for non-heap table in HAWQ once Ranger is > > configured > > 5. > > > > Documents for telling people if they firstly enable ranger and then > > don't want to use it, they need manually recreate all the policies of > > Ranger in HAWQ own side > > 6. > > > > Documents for how to enable Ranger in Ambari: Firstly set ranger off, > > init HAWQ master, then set ranger on, and then restart HAWQ cluster. > > > > > > Out of Scope for the first Release > > > > 1. > > > > Ambari modification: We just use Ambari's customized GUC for the first > > release instead of adding a new GUC, so no change from Ambari side > > 2. > > > > Kerberos/SSL connection from HAWQ to RPS and RPS to Ranger > > 3. > > > > HA: There are two levels of HA: Ranger Server HA and RPS HA. For > > Ranger Server HA, RPS needs to be designed to be tolerant for this; > For RPS > > HA, HAWQ master and standby master should be able to connect to > another RPS > > if one is down. > > 4. > > > > Catalog table/System embedded function/owner check in Ranger > > 5. > > > > Allow both Grant/Revoke command and Ranger side ACL control for the > > same objects such as non-heap table > > 6. > > > > Tool for converting all privileges defined in Ranger to HAWQ > > grant/revoke command > > 7. > > > > Tool for syncing HAWQ user information from LDAP > > 8. > > > > Ranger check for drop table/create database > > > > > > Best Regards, > > Lili > > > -- Thanks Hubert Zhang
