[jira] [Commented] (HAWQ-1036) Support user impersonation in PXF for external tables
[ https://issues.apache.org/jira/browse/HAWQ-1036?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359129#comment-16359129 ] Alexander Denissov commented on HAWQ-1036: -- Impersonation has been enabled in PXF now, however it is not yet integrated with HAWQ and will work with other Postgres-related engines (such as GPDB) that pass user identity in X-GP-USER header to PXF. > Support user impersonation in PXF for external tables > - > > Key: HAWQ-1036 > URL: https://issues.apache.org/jira/browse/HAWQ-1036 > Project: Apache HAWQ > Issue Type: New Feature > Components: PXF, Security >Reporter: Alastair "Bell" Turner >Assignee: Alexander Denissov >Priority: Critical > Fix For: backlog > > Attachments: HAWQ_Impersonation_rationale.txt > > > Currently HAWQ executes all queries as the user running the HAWQ process or > the user running the PXF process, not as the user who issued the query via > ODBC/JDBC/... This restricts the options available for integrating with > existing security defined in HDFS, Hive, etc. > Impersonation provides an alternative Ranger integration (as discussed in > HAWQ-256 ) for consistent security across HAWQ, HDFS, Hive... > Implementation High Level steps: > 1) HAWQ needs to integrate with existing authentication components for the > user who invokes the query > 2) HAWQ needs to pass down the user id to PXF after authorization is passed > 3) PXF needs to do "run as ..." the user id to execute APIs to access > Hive/HDFS -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HAWQ-1036) Support user impersonation in PXF for external tables
[ https://issues.apache.org/jira/browse/HAWQ-1036?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15473174#comment-15473174 ] Alastair "Bell" Turner commented on HAWQ-1036: -- There would be no change for (c). In simplest way of thinking about this, impersonation allows HAWQ to delegate authorisation to the remote data source. If this is Hive then Hive gets to decide whether to use "SQL Standard" auth or do it's own impersonation through to HDFS. Ownership of or access to the file is not the issue, the issue is authorisation at the point where PXF passes the request to another process. > Support user impersonation in PXF for external tables > - > > Key: HAWQ-1036 > URL: https://issues.apache.org/jira/browse/HAWQ-1036 > Project: Apache HAWQ > Issue Type: New Feature > Components: PXF, Security >Reporter: Alastair "Bell" Turner >Assignee: Goden Yao >Priority: Critical > Fix For: backlog > > Attachments: HAWQ_Impersonation_rationale.txt > > > Currently HAWQ executes all queries as the user running the HAWQ process or > the user running the PXF process, not as the user who issued the query via > ODBC/JDBC/... This restricts the options available for integrating with > existing security defined in HDFS, Hive, etc. > Impersonation provides an alternative Ranger integration (as discussed in > HAWQ-256 ) for consistent security across HAWQ, HDFS, Hive... > Implementation High Level steps: > 1) HAWQ needs to integrate with existing authentication components for the > user who invokes the query > 2) HAWQ needs to pass down the user id to PXF after authorization is passed > 3) PXF needs to do "run as ..." the user id to execute APIs to access > Hive/HDFS -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HAWQ-1036) Support user impersonation in PXF for external tables
[ https://issues.apache.org/jira/browse/HAWQ-1036?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15468138#comment-15468138 ] Goden Yao commented on HAWQ-1036: - a) - yes b) not sure if that's a statement or question - user impersonation should be only exercised if/when HAWQ chose to integrate with HADOOP user identification. so there will be 1> default - hawq manages users as dbms separately so no behavior changes 2> integrated with hadoop , so all db users should be in kerberos or LDAP, through ranger or other centralized user authentication system. c) no matter which mode Hive chooses, HDFS layer you still have hdfs users (OS/Hadoop users) specific ACL. impersonation is not our side to do authentication, we just need to trust hive APIs and pass down the real user ID who's invoking the query and run as that user to make sure no illegal access during the process. > Support user impersonation in PXF for external tables > - > > Key: HAWQ-1036 > URL: https://issues.apache.org/jira/browse/HAWQ-1036 > Project: Apache HAWQ > Issue Type: New Feature > Components: PXF, Security >Reporter: Alastair "Bell" Turner >Assignee: Goden Yao >Priority: Critical > Fix For: backlog > > Attachments: HAWQ_Impersonation_rationale.txt > > > Currently HAWQ executes all queries as the user running the HAWQ process or > the user running the PXF process, not as the user who issued the query via > ODBC/JDBC/... This restricts the options available for integrating with > existing security defined in HDFS, Hive, etc. > Impersonation provides an alternative Ranger integration (as discussed in > HAWQ-256 ) for consistent security across HAWQ, HDFS, Hive... -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HAWQ-1036) Support user impersonation in PXF for external tables
[ https://issues.apache.org/jira/browse/HAWQ-1036?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15468123#comment-15468123 ] Goden Yao commented on HAWQ-1036: - this request has nothing to do with database objects privilege management or ranger integration. I'll post a detailed discussion with Alastair before. > Support user impersonation in PXF for external tables > - > > Key: HAWQ-1036 > URL: https://issues.apache.org/jira/browse/HAWQ-1036 > Project: Apache HAWQ > Issue Type: New Feature > Components: PXF, Security >Reporter: Alastair "Bell" Turner >Assignee: Goden Yao >Priority: Critical > Fix For: backlog > > Attachments: HAWQ_Impersonation_rationale.txt > > > Currently HAWQ executes all queries as the user running the HAWQ process or > the user running the PXF process, not as the user who issued the query via > ODBC/JDBC/... This restricts the options available for integrating with > existing security defined in HDFS, Hive, etc. > Impersonation provides an alternative Ranger integration (as discussed in > HAWQ-256 ) for consistent security across HAWQ, HDFS, Hive... -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HAWQ-1036) Support user impersonation in PXF for external tables
[ https://issues.apache.org/jira/browse/HAWQ-1036?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15457649#comment-15457649 ] Vineet Goel commented on HAWQ-1036: --- This is a useful feature needed in PXF for external tables access, for security-sensitive data access in HDFS. My thoughts: 1) As the description/title suggests, we should keep the scope of this JIRA to PXF External table access, not HAWQ Internal tables. 2) Changing the HAWQ’s HDFS storage permission/ACL policy should be out of scope. That is a complex and separate set of work and not sure if it solves a problem for HAWQ users. If HAWQ is your SQL access point, then the assumption is that HAWQ database authorization is serving comprehensive control management on internal tables. Ranger integration (HAWQ-256) plays a role here as well. All HAWQ data files have the same HDFS permission model. 3) Lili, given the scope limited to PXF External tables, some of the questions that you asked above may not be an issue in PXF case. Is that right? 4) Alastair, good point on the SET SESSION scenario. Things I’m wondering about, that may need research/discussion: a) The impersonation might just apply the same to Readable as well as writable PXF tables as well. True? b) External authentication such as LDAP are very important in this case as well as Ranger, if there are issues with trusting super users, who could create role and database logins to impersonate users for PXF external tables access. c) Does anything change if Hive is using “SQL Standard-Based Authorization” instead of Storage-Based Authorization? Do HDFS files have the same ACLs & permissions in both cases, for external table reads? > Support user impersonation in PXF for external tables > - > > Key: HAWQ-1036 > URL: https://issues.apache.org/jira/browse/HAWQ-1036 > Project: Apache HAWQ > Issue Type: New Feature > Components: PXF, Security >Reporter: Alastair "Bell" Turner >Assignee: Goden Yao >Priority: Critical > Fix For: backlog > > Attachments: HAWQ_Impersonation_rationale.txt > > > Currently HAWQ executes all queries as the user running the HAWQ process or > the user running the PXF process, not as the user who issued the query via > ODBC/JDBC/... This restricts the options available for integrating with > existing security defined in HDFS, Hive, etc. > Impersonation provides an alternative Ranger integration (as discussed in > HAWQ-256 ) for consistent security across HAWQ, HDFS, Hive... -- This message was sent by Atlassian JIRA (v6.3.4#6332)