[ https://issues.apache.org/jira/browse/HAWQ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15452587#comment-15452587 ]
Alastair "Bell" Turner commented on HAWQ-256: --------------------------------------------- Thanks [~lilima] There are three gpadmin users and I think we could have a better discussion if we give them different names. 1. The gpadmin operating system user who own the HAWQ processes and the /hawq/* data on the local file system (OSGPAdmin). This user is not relevant to this issue. 2. The gpadmin Hadoop user (HAWQFileOwner). This is user identity used for HAWQ to access HDFS and owns the files created by HAWQ in HDFS. 3. The gpadmin user in HAWQ (HAWQSuperUser). This user is subject to very few, if any, restrictions on access to data held in HAWQ. For PXF there is also a user which accessed HDFS, Hive, etc on behalf of PXF queries. For consistency let's call this PXFFileOwner. My question about gpadmin access to data in Ranger managed tables is about access by HAWQSuperUser: If access to a table is managed by Ranger then the files containing that table's data in HDFS would be owned by HAWQFileOwner. This is not an issue as long as nobody can log in as HAWQFileOwner. The problem occurs when HAWQSuperUser can read any data in any table. This is currently the case for HAWQ internal tables. If PXFFileOwner has access to data then HAWQSuperUser would also be able to access it through external tables. If access on a database was managed by Ranger through this feature would HAWQSuperUser have access to read the data in that table? If only users authenticated through Ranger had access to data in the table it would not matter that HAWQFileOwner controlled the underlying file, HAWQ would be acting as a PEP and controlling access to the data. This is different from the scenario which I describe in HAWQ-1036 where policy is enforced by HDFS. Either approach would satisfy the requirement for HAWQSuperUser not to have access to the data. > Integrate Security with Apache Ranger > ------------------------------------- > > Key: HAWQ-256 > URL: https://issues.apache.org/jira/browse/HAWQ-256 > Project: Apache HAWQ > Issue Type: New Feature > Components: PXF, Security > Reporter: Michael Andre Pearce (IG) > Assignee: Lili Ma > Fix For: backlog > > Attachments: HAWQRangerSupportDesign.pdf, > HAWQRangerSupportDesign_v0.2.pdf > > > Integrate security with Apache Ranger for a unified Hadoop security solution. -- This message was sent by Atlassian JIRA (v6.3.4#6332)