Ramesh, thanks for confirming. Bosco
On 8/22/16, 3:18 PM, "Ramesh Mani" <[email protected]> wrote: Bosco, Look at the documentation and trying it out, user u2 should be able to give any permission. * The ADMIN permission in Ranger is the equivalent to the WITH GRANT OPTION in SQL standard-based authorization. However, the ADMIN permission gives the grantee the ability to grant all permissions rather than just the permissions possessed by the grantor. With SQL standard-based authorization, the WITH GRANT OPTION applies only to permissions possessed by the grantor. Thanks, Ramesh On 8/19/16, 10:42 AM, "Don Bosco Durai" <[email protected]> wrote: >Madhan, can you help me answer the question from the HAWQ team? > >If I give User u1 permission to ³Select² and ³Delegated Admin² for a >resource/table, then can user u1 give someone else, e.g. u2 ³Insert² >permission for the resource? Or do we restrict ³Delegate² permission only >to what the user has? > >Thanks > >Bosco > > >On 8/16/16, 1:52 AM, "Lili Ma (JIRA)" <[email protected]> wrote: > > > [ >https://issues.apache.org/jira/browse/HAWQ-256?page=com.atlassian.jira.plu >gin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15422443#comme >nt-15422443 ] > > Lili Ma edited comment on HAWQ-256 at 8/16/16 8:51 AM: > ------------------------------------------------------- > > [~bosco] [~vineetgoel] [~lei_chang] [~hubertzhang] [~wenlin] > Another thing we need to discuss is whether we support user send >"GRANT" SQL besides setting policy in Ranger. If we also support Grant >SQL, there is a minor difference between the "with grant option" of Grant >SQL and what inside Ranger UI. We need to discuss it clear. > > Ranger has one button "Delegate Admin" when defining policy, this is >different from what HAWQ grant SQL specifies. > That button in Ranger means the Ranger internal user has the >privileges to operate the given path/object and assign someone else the >rights for the objects. That button has no influence on Ranger external >user, say, HAWQ internal user. For example, if we add a policy specifying >user A has the privileges to select a table T and click on the button and >user A is Ranger internal user, then user A has the right to log into >Ranger and assign the insert/select privileges for table T to user B. > The grant SQL with grant option means that the to-be-granted user has >the privilege to grant certain privileges to other users. If the grant >privilege specifies just select, then user A can't grant insert privilege >to user B. So this is minor different from what Ranger has already >provided. > > If we allow grant/revoke SQL from HAWQ, we need to add "grant" as an >action option to the resource. Action option means for each action, it >has an attribute which indicates whether this action can be granted by >the user. > For example, admin grant two privileges: > "grant select on t1 to u1" > "grant insert on t1 to u1 with grant option" > Then u1 grant privilege to u2 > "grant select on t1 to u2" result: failed! > grant insert on t1 to u2" result: succeed! > As a result, u2 can insert on t1, but it cannot select on t1. > Correspondingly, in Ranger, we have the following policies(* means >with grant privilege): > t1 u1 insert*select > t1 u2 insert > > So the conclusion is that we need double the privileges for defining >"with grant option" if we want to support Grant/Revoke SQL from HAWQ side. > > > was (Author: lilima): > [~bosco][~vineetgoel][~lei_chang][~hubertzhang][~wenlin] > Another thing we need to discuss is whether we support user send >"GRANT" SQL besides setting policy in Ranger. If we also support Grant >SQL, there is a minor difference between the "with grant option" of Grant >SQL and what inside Ranger UI. We need to discuss it clear. > > Ranger has one button "Delegate Admin" when defining policy, this is >different from what HAWQ grant SQL specifies. > That button in Ranger means the Ranger internal user has the >privileges to operate the given path/object and assign someone else the >rights for the objects. That button has no influence on Ranger external >user, say, HAWQ internal user. For example, if we add a policy specifying >user A has the privileges to select a table T and click on the button and >user A is Ranger internal user, then user A has the right to log into >Ranger and assign the insert/select privileges for table T to user B. > The grant SQL with grant option means that the to-be-granted user has >the privilege to grant certain privileges to other users. If the grant >privilege specifies just select, then user A can't grant insert privilege >to user B. So this is minor different from what Ranger has already >provided. > > If we allow grant/revoke SQL from HAWQ, we need to add "grant" as an >action option to the resource. Action option means for each action, it >has an attribute which indicates whether this action can be granted by >the user. > For example, admin grant two privileges: > "grant select on t1 to u1" > "grant insert on t1 to u1 with grant option" > Then u1 grant privilege to u2 > "grant select on t1 to u2" result: failed! > grant insert on t1 to u2" result: succeed! > As a result, u2 can insert on t1, but it cannot select on t1. > Correspondingly, in Ranger, we have the following policies(* means >with grant privilege): > t1 u1 insert*select > t1 u2 insert > > So the conclusion is that we need double the privileges for defining >"with grant option" if we want to support Grant/Revoke SQL from HAWQ side. > > > Integrate Security with Apache Ranger > > ------------------------------------- > > > > Key: HAWQ-256 > > URL: https://issues.apache.org/jira/browse/HAWQ-256 > > Project: Apache HAWQ > > Issue Type: New Feature > > Components: PXF, Security > > Reporter: Michael Andre Pearce (IG) > > Assignee: Lili Ma > > Fix For: backlog > > > > Attachments: HAWQRangerSupportDesign.pdf > > > > > > Integrate security with Apache Ranger for a unified Hadoop security >solution. > > > > -- > This message was sent by Atlassian JIRA > (v6.3.4#6332) > > > >
