[jira] [Commented] (HAWQ-1036) Support user impersonation in PXF for external tables

Thu, 01 Sep 2016 02:46:04 -0700 

    [ 
https://issues.apache.org/jira/browse/HAWQ-1036?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15454926#comment-15454926
 ] 

Lili Ma commented on HAWQ-1036:
-------------------------------

Hello, I think passing down user identity is a quite important area. 
I have several questions about this:
1. If we pass the privilege check down to HDFS or Hive, what about the objects 
which doesn't map to data storage, for example, language, function, schema, 
etc? 
2. For table object, how can we map the privilege to storage if underlying 
storage is HDFS? For example, for table, we may have 
create/select/insert/update/delete(although HAWQ doesn't support update/delete 
now, it may support these features later), which for HDFS file, we only have 
create/read/write/append. How shall we map them? 
3. Do the privileges check in this way happen during query execution, I think  
HAWQ-256 does this in planning period.
4. What if Ranger admin wants to assign table created by userA to userB?  Does 
he need to find out the underlying file folder and assign that folder 
privileges to userB? If yes, then he has to know the mapping between HAWQ table 
and HDFS files. Right?
5. Currently my understanding for PXF design is using a special user identity? 
What will happen after the change? Multiple users will have access to the 
external storage? What if we support S3 in the future? Need S3 give the 
privileges to all the users in HAWQ? 

Thanks
Lili


> Support user impersonation in PXF for external tables
> -----------------------------------------------------
>
>                 Key: HAWQ-1036
>                 URL: https://issues.apache.org/jira/browse/HAWQ-1036
>             Project: Apache HAWQ
>          Issue Type: New Feature
>          Components: PXF, Security
>            Reporter: Alastair "Bell" Turner
>            Assignee: Goden Yao
>            Priority: Critical
>             Fix For: backlog
>
>         Attachments: HAWQ_Impersonation_rationale.txt
>
>
> Currently HAWQ executes all queries as the user running the HAWQ process or 
> the user running the PXF process, not as the user who issued the query via 
> ODBC/JDBC/... This restricts the options available for integrating with 
> existing security defined in HDFS, Hive, etc.
> Impersonation provides an alternative Ranger integration (as discussed in 
> HAWQ-256 ) for consistent security across HAWQ, HDFS, Hive...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to