[ https://issues.apache.org/jira/browse/HAWQ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15451720#comment-15451720 ]
Hubert Zhang commented on HAWQ-256: ----------------------------------- +1 for two stage authorization. Hawq ranger plugin(REST service) manages the access privilege of hawq object, include database, table, function, language and so on. While HDFS ranger plugin manages the access privilege of hdfs file. They are not conflicted with each other. User must first have the privilege to access hawq object(calculated in planner), next user also need to have the privilege to access the hdfs file. Currently, hawq use the admin user to create/append hdfs file, this is convenient for hawq user management. For example, user A own table t1, and if user A grant select and insert privilege of table t1 to user B, user B can directly access table t1, because on HDFS, the files of table t1 are created and accessed both by admin. But user-identity passing down will lead to table t1 is created by user A and user B cannot access file directly, unless add user B to user A's group, or change the file privilege. I do agree "user-identity passing down" is useful especially in hadoop eco, but when implementing it, pay attention to the problem I mentioned above.(Also this is beyond the discussion of issue256) > Integrate Security with Apache Ranger > ------------------------------------- > > Key: HAWQ-256 > URL: https://issues.apache.org/jira/browse/HAWQ-256 > Project: Apache HAWQ > Issue Type: New Feature > Components: PXF, Security > Reporter: Michael Andre Pearce (IG) > Assignee: Lili Ma > Fix For: backlog > > Attachments: HAWQRangerSupportDesign.pdf, > HAWQRangerSupportDesign_v0.2.pdf > > > Integrate security with Apache Ranger for a unified Hadoop security solution. -- This message was sent by Atlassian JIRA (v6.3.4#6332)