Github user ictmalili commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1106#discussion_r99488834
--- Diff: src/backend/catalog/aclchk.c ---
@@ -298,6 +298,14 @@ ExecuteGrantStmt(GrantStmt *stmt)
bool added_objs = false;
/*
+ * Don't allow GRANT/REVOKE if in ranger mode.
+ */
+ if (aclType == HAWQ_ACL_RANGER)
+ {
+ elog(ERROR, "GRANT/REVOKE is not allowed in ranger mode");
+ }
+
+ /*
--- End diff --
I don't think we should forbid all the objects for grant/revoke. Given that
we decide to leave catalog table/owner check in HAWQ side, we should allow
grant/revoke for these operations. What we need to forbid is what we have
supported in Ranger UI configuration.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
