Repository: incubator-hawq-docs Updated Branches: refs/heads/develop a3ebec2d8 -> e85f3a49e
policy doc - built-in func warning, revise hdfs/hive considers Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/e85f3a49 Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/e85f3a49 Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/e85f3a49 Branch: refs/heads/develop Commit: e85f3a49ec1721c6f08567b782d537a691b5928e Parents: a3ebec2 Author: Lisa Owen <lo...@pivotal.io> Authored: Fri Apr 7 15:24:12 2017 -0700 Committer: Lisa Owen <lo...@pivotal.io> Committed: Fri Apr 7 17:41:31 2017 -0700 ---------------------------------------------------------------------- markdown/ranger/ranger-policy-creation.html.md.erb | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/e85f3a49/markdown/ranger/ranger-policy-creation.html.md.erb ---------------------------------------------------------------------- diff --git a/markdown/ranger/ranger-policy-creation.html.md.erb b/markdown/ranger/ranger-policy-creation.html.md.erb index 5bd12b4..ec78c35 100644 --- a/markdown/ranger/ranger-policy-creation.html.md.erb +++ b/markdown/ranger/ranger-policy-creation.html.md.erb @@ -319,10 +319,13 @@ Make note of the following considerations when employing Ranger authorization fo - `CREATE LANGUAGE` commands (superuser-only) issued for non-built-in languages (pljava, plpython, ..) require the `usage` permission for the `c` language. -- If Ranger is enabled for Hive authorization in your HAWQ cluster: - - Create Hive policy(s) providing the user `pxf` access to any Hive tables you want to expose via PXF HCatalog integration or HAWQ PXF external tables. - - The HAWQ policies providing access to PXF HCatalog integration must identify database `hcatalog`, schema `<hive-schema-name>`, and table `<hive-table-name>` resources. These privileges are required in addition to any Hive policies for user `pxf` when Ranger is enabled for Hive authorization. +- Using built-in functions may generate the message: âWARNING: usage privilege of namespace \<schema-name\> is required.â This message is displayed even though the usage permission on \<schema-name\> is not actually required to execute the built-in function. -- If you have enabled Ranger authorization for HDFS in your HAWQ cluster: - - Create an HDFS policy(s) providing user `gpadmin` access to the HDFS HAWQ filespace. - - If you plan to use PXF external tables to read and write HDFS data, create HDFS policies providing user `pxf` access to the HDFS files backing your PXF external tables. +- When Ranger authorization is enabled for HDFS in your HAWQ cluster: + - The HDFS `xasecure.add-hadoop-authorization` property determines whether or not HDFS access controls are used as a fallback when no policy exists for a given HDFS resource. HAWQ access to HDFS is not affected when the `xasecure.add-hadoop-authorization` property is set to `true`. When this property is set to `false`, you must define HDFS Ranger policies permitting the `gadmin` HAWQ user read/write/execute access to the HAWQ HDFS filespace. + - Access to HDFS-backed PXF external tables is not affected by the `xasecure.add-hadoop-authorization` property value, since the `pxf` user is a member of the `hdfs` superuser group. + +- Hive Ranger policies cannot control PXF access to Hive tables. + - When Ranger authorization is enabled for HAWQ, the `gpadmin` user has access permissions to all Hive tables exposed through PXF external tables and HCatalog integration. + - Other HAWQ users may gain access to Hive-backed PXF external tables when provided `usage-schema` and `create` permissions on the `public` or any private schema. To restrict this access, selectively assign permissions to the `pxf` protocol. + - HCatalog access to Hive tables is restricted by default when Ranger authorization is enabled for HAWQ; you must create policies to explicitly allow this access.