Github user dyozie commented on a diff in the pull request:
https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108951165
--- Diff: markdown/ranger/ranger-integration-config.html.md.erb ---
@@ -30,9 +30,14 @@ The Ranger Administrative UI is installed when you
install HDP. You configure th
Installing or upgrading to HAWQ 2.2.0 installs the HAWQ Ranger Plug-in
Service, but neither configures nor registers the plug-in.
-In order to use Ranger for managing HAWQ authentication events, you must
first install and register several HAWQ JAR files on the Ranger Administration
host. This is a one-time configuration that establishes connectivity to your
HAWQ cluster from the Ranger Administration host. After you have registered the
JAR files, you enable or disable Ranger integration in HAWQ by setting the
`hawq_acl_type` configuration parameter. After Ranger integration is enabled,
you must use the Ranger interface to create all security policies to manage
access to HAWQ resources. Ranger is pre-populated only with several policies to
allow `gpadmin` superuser access to default resources. See [Creating HAWQ
Authorization Policies in Ranger](ranger-policy-creation.html) for information
about creating policies in Ranger.
+To use Ranger for managing HAWQ authentication events, you must first
install and register several HAWQ JAR files on the Ranger Administration host.
This one-time configuration establishes connectivity to your HAWQ cluster from
the Ranger Administration host.
+
+The `hawq_acl_type` configuration parameter allows you to shift between
managing access policies through the HAWQ native interface or the Ranger policy
manager. Ranger is initially started started with the `hawq_acl_type` parameter
set to `standalone.` After configuring Ranger access policies, you set the
`hawq_acl_type` configuration parameter to `ranger` to enable Ranger policy
management.
+
+Once HAWQ Ranger is enabled, access to HAWQ resources is controlled by
security policies on Ranger. Access policies must be explicitly set for all
groups and users, as Ranger has no knowledge of any access policies set up in
the HAWQ native interface and its default is to disallow access. When first
integrated, Ranger is only pre-populated with policies that allow `gpadmin`
superuser access to default resources. When Ranger is enabled, you cannot
manage HAWQ access through its native interface.
--- End diff --
I agree - let's not get into too much detail here.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
