Github user dyozie commented on a diff in the pull request: https://github.com/apache/incubator-hawq-docs/pull/105#discussion_r108954206 --- Diff: markdown/ranger/ranger-integration-config.html.md.erb --- @@ -84,19 +105,28 @@ The following procedures describe each configuration activity. gpadmin@master$ hawq stop cluster --reload ``` -7. To validate connectivity between Ranger and HAWQ, access the Ranger Admin UI in Ambari, click the edit icon associated with the `hawq` service definition. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully. If it fails to connect, edit your HAWQ connectivity properties directly in the Ranger Admin UI and re-test the connection. +7. When setup is complete, use the fully-qualified domain name to log into the Ambari server. Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login interface. + +8. Log into the Ranger Access Manager. You will see a list of icons under the Service Manager. Click the click the icon marked `hawq` under the HAWQ icon to validate connectivity between Ranger and HAWQ. A list of HAWQ policies will appear. + +9. Now return to the Service Manager and click the Edit icon on the right, under the HAWQ service icon. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected succesfully. If it fails to connect, you may need to edit your Ranger connection in `pg_hba.conf,` perform + ``` bash + hawq restart cluster + ``` + and re-test the connection. ## <a id="enable"></a>Step 2: Configure HAWQ to Use Ranger Policy Management -The default Ranger service definition for HAWQ assigns the HAWQ user (typically `gpadmin`) all privileges to all objects. +The default Ranger service definition for HAWQ assigns the HAWQ administrator (typically `gpadmin`) all privileges to all objects. -**Warning**: If you enable HAWQ-Ranger authorization with only the default HAWQ service policies defined, other HAWQ users will have no privileges, even for HAWQ objects (databases, tables) that they own. - -1. Select the **HAWQ** Service, and then select the **Configs** tab. +Once the connection between HAWQ and Ranger is configured, you can either set up policies for the HAWQ users according to the procedures in [Creating HAWQ Authorization Policies in Ranger](ranger-policy-creation.html) or enable Ranger with only the default policies. --- End diff -- I'm not sure it should be a warning, per se. I think what should be called out here is that if they had created any additional authorizations using `GRANT` commands, they will no longer apply after enabling ranger, and HAWQ goes back to its initial state of gpadmin-only access.
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---