[
https://issues.apache.org/jira/browse/HAWQ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15452587#comment-15452587
]
Alastair "Bell" Turner commented on HAWQ-256:
---------------------------------------------
Thanks [~lilima]
There are three gpadmin users and I think we could have a better discussion if
we give them different names.
1. The gpadmin operating system user who own the HAWQ processes and the
/hawq/* data on the local file system (OSGPAdmin). This user is not relevant to
this issue.
2. The gpadmin Hadoop user (HAWQFileOwner). This is user identity used for
HAWQ to access HDFS and owns the files created by HAWQ in HDFS.
3. The gpadmin user in HAWQ (HAWQSuperUser). This user is subject to very few,
if any, restrictions on access to data held in HAWQ.
For PXF there is also a user which accessed HDFS, Hive, etc on behalf of PXF
queries. For consistency let's call this PXFFileOwner.
My question about gpadmin access to data in Ranger managed tables is about
access by HAWQSuperUser:
If access to a table is managed by Ranger then the files containing that
table's data in HDFS would be owned by HAWQFileOwner. This is not an issue as
long as nobody can log in as HAWQFileOwner. The problem occurs when
HAWQSuperUser can read any data in any table. This is currently the case for
HAWQ internal tables. If PXFFileOwner has access to data then HAWQSuperUser
would also be able to access it through external tables.
If access on a database was managed by Ranger through this feature would
HAWQSuperUser have access to read the data in that table?
If only users authenticated through Ranger had access to data in the table it
would not matter that HAWQFileOwner controlled the underlying file, HAWQ would
be acting as a PEP and controlling access to the data. This is different from
the scenario which I describe in HAWQ-1036 where policy is enforced by HDFS.
Either approach would satisfy the requirement for HAWQSuperUser not to have
access to the data.
> Integrate Security with Apache Ranger
> -------------------------------------
>
> Key: HAWQ-256
> URL: https://issues.apache.org/jira/browse/HAWQ-256
> Project: Apache HAWQ
> Issue Type: New Feature
> Components: PXF, Security
> Reporter: Michael Andre Pearce (IG)
> Assignee: Lili Ma
> Fix For: backlog
>
> Attachments: HAWQRangerSupportDesign.pdf,
> HAWQRangerSupportDesign_v0.2.pdf
>
>
> Integrate security with Apache Ranger for a unified Hadoop security solution.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
