moving super-user events discussion to policy doc; clarifying non-HA support; clarifying configuration procedure
Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/commit/8823a9cf Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/tree/8823a9cf Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/diff/8823a9cf Branch: refs/heads/master Commit: 8823a9cf4fa872e0023955d7fe7a20fc28fbac69 Parents: 970717b Author: David Yozie <yo...@apache.org> Authored: Fri Mar 31 10:38:27 2017 -0700 Committer: David Yozie <yo...@apache.org> Committed: Fri Mar 31 10:38:27 2017 -0700 ---------------------------------------------------------------------- .../ranger/ranger-integration-config.html.md.erb | 19 +++++++++++++++---- markdown/ranger/ranger-overview.html.md.erb | 16 ++-------------- .../ranger/ranger-policy-creation.html.md.erb | 3 ++- 3 files changed, 19 insertions(+), 19 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/8823a9cf/markdown/ranger/ranger-integration-config.html.md.erb ---------------------------------------------------------------------- diff --git a/markdown/ranger/ranger-integration-config.html.md.erb b/markdown/ranger/ranger-integration-config.html.md.erb index 373959c..a274158 100644 --- a/markdown/ranger/ranger-integration-config.html.md.erb +++ b/markdown/ranger/ranger-integration-config.html.md.erb @@ -73,18 +73,29 @@ To use HAWQ Ranger integration, install a compatible Hadoop distribution and Apa ``` bash gpadmin@master$ cd /usr/local/hawq/ranger/bin gpadmin@master$ ./enable-ranger-plugin.sh -r ranger_host:6080 -u admin -p admin -h hawq_master:5432 -w gpadmin -q gpadmin + RANGER URL = localhost:6080 + RANGER User = admin + RANGER Password = [*****] + HAWQ HOST = localhost + HAWQ PORT = 5432 + HAWQ User = gpadmin + HAWQ Password = [*******] + HAWQ service definition was not found in Ranger Admin, creating it by uploading /usr/local/hawq_2_2_0_0/ranger/etc/ranger-servicedef-hawq.json + HAWQ service instance was not found in Ranger Admin, creating it. + Updated POLICY_MGR_URL to http://localhost:6080 in /usr/local/hawq_2_2_0_0/ranger/etc/rps.properties + Updated default value of JAVA_HOME to /usr/jdk64/jdk1.8.0_77 in /usr/local/hawq_2_2_0_0/ranger/etc/rps.properties ``` **Note**: You can also enter the short form of the command: `./enable-ranger-plugin.sh -r` and the script will prompt you for entries. When the script completes, the default HAWQ service definition is registered in the Ranger Admin UI. This service definition is named `hawq`. -6. Locate the `pg_hba.conf` file on the HAWQ master node, for example: +6. Locate the `pg_hba.conf` file in the master directory of the HAWQ master node. To display the HAWQ master directory: ``` bash gpadmin@master$ hawq config --show hawq_master_directory GUC : hawq_master_directory - Value : /data/hawq/master + Value : /data/hawq/master ``` Edit the `pg_hba.conf` file on the HAWQ master node to configure HAWQ access for \<hawq_user\> on the \<ranger-admin-node\>. For example, you would add an entry similar to the following for the example `enable-ranger-plugin.sh` call above: @@ -99,9 +110,9 @@ To use HAWQ Ranger integration, install a compatible Hadoop distribution and Apa gpadmin@master$ hawq stop cluster --reload ``` -7. When setup is complete, use the fully-qualified domain name to log into the Ambari server. Use the Ranger link in the left nav to bring up the Ranger Summary pane in the HAWQ Ambari interface. Use the Quick Links to access Ranger. This link will take you to the Ranger Login interface. +7. After HAWQ reloads the configuration, use the fully-qualified domain name to log into the Ambari server. Click the **Ranger** link to display the Ranger Summary page, then select **Quick Links > Ranger Admin UI**. -8. Log into the Ranger Access Manager. You will see a list of icons under the Service Manager. Click the **Edit** icon on the right, under the HAWQ service icon. Ensure that the Active Status is set to Enabled, and click the **Test Connection** button. You should receive a message that Ranger connected successfully. If the connection fails, verify the `hawq` service Config Properties, as well as your `pg_hba.conf` entries, and re-test the connection. +8. Log into the Ranger Access Manager. Click the **Edit** button for the **HAWQ** service. Ensure that the Active Status is set to Enabled, and click **Test Connection**. You should receive a message that Ranger connected successfully. If the connection fails, verify the `hawq` service Config Properties, as well as your `pg_hba.conf` entries, and re-test the connection. ## <a id="enable"></a>Step 2: Configure HAWQ to Use Ranger Policy Management http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/8823a9cf/markdown/ranger/ranger-overview.html.md.erb ---------------------------------------------------------------------- diff --git a/markdown/ranger/ranger-overview.html.md.erb b/markdown/ranger/ranger-overview.html.md.erb index 56b45be..55ef691 100644 --- a/markdown/ranger/ranger-overview.html.md.erb +++ b/markdown/ranger/ranger-overview.html.md.erb @@ -36,7 +36,7 @@ The Ranger plug-in service caches Ranger policies locally on each HAWQ node to a ## <a id="limitations"></a>Limitations of Ranger Policy Management Neither Kerberos authentication nor SSL encryption is supported between a HAWQ node and the Ranger plug-in service, or between the plug-in service and the Ranger Policy Manager. -The Ranger plug-in service is not compatible Highly-Available Ranger deployments. The plug-in will not connect to another Ranger Policy Manager if a failure occurs. +The Ranger plug-in service is not compatible Highly-Available Ranger deployments. The plug-in will not connect to another Ranger Policy Manager if a failure occurs. Should you need to activate the standby master in your HAWQ cluster, you must update the HAWQ Ranger service definition with the new master node connection information. HAWQ supports setting user-level authorization policies with Ranger. These correspond to access policies that would typically be applied using the SQL `GRANT` command, and include authorization events for: @@ -48,17 +48,5 @@ HAWQ supports setting user-level authorization policies with Ranger. These corre - Languages - Protocols -All authorization checks for superuser-restricted authorization events are handled by HAWQ natively, even when Ranger integration is enabled. These superuser-restricted events include: - -- `CREATE CAST` command -- `CREATE FILESPACE` command -- `CREATE`, `DROP`, or `ALTER` commands that involve a foreign-data wrapper -- `CREATE FUNCTION` command for untrusted languages. -- `CREATE` or `DROP` commands for procedural Languages -- `CREATE`, `DROP`, or `ALTER` commands for resource queues -- `CREATE TABLESPACE` command. Note that Ranger does manage authorization for creating databases, tables, indexes, and so forth _within_ an existing tablespace. -- `CREATE EXTERNAL TABLE` commands that include the `EXECUTE` clause. -- `CREATE OPERATOR CLASS` command -- `COPY` command. Use of the `COPY` command is always limited to the superuser. When Ranger policy management is enabled, the superuser must have `SELECT` or `INSERT` privileges on a table in order to `COPY` from or to that table. -- Built-in functions such as pg_logdir_ls, pg_ls_dir, pg_read_file, pg_reload_conf, pg_rotate_logfile, pg_signal_backend, pg_start_backup, pg_stat_file, pg_stat_get_activity, pg_stat_get_backend_activity_start, pg_stat_get_backend_activity, pg_stat_get_backend_client_addr, pg_stat_get_backend_client_port, pg_stat_get_backend_start, pg_stat_get_backend_waiting, pg_stop_backup, pg_switch_xlog, and pg_stat_reset. +Some authorization checks for superuser-restricted authorization events are handled by HAWQ natively, even when Ranger integration is enabled. See [HAWQ-Native Authorization](ranger-policy-creation.html#alwaysnative). http://git-wip-us.apache.org/repos/asf/incubator-hawq-docs/blob/8823a9cf/markdown/ranger/ranger-policy-creation.html.md.erb ---------------------------------------------------------------------- diff --git a/markdown/ranger/ranger-policy-creation.html.md.erb b/markdown/ranger/ranger-policy-creation.html.md.erb index c66f5ba..937ebab 100644 --- a/markdown/ranger/ranger-policy-creation.html.md.erb +++ b/markdown/ranger/ranger-policy-creation.html.md.erb @@ -53,13 +53,14 @@ The `pg_hba.conf` file on the HAWQ master node identifies the users you permit t HAWQ *always* employs its native authorization for operations on its catalog. HAWQ also uses only native authorization for the following HAWQ operations, *even when Ranger is enabled*. These operations are available to superusers and may be available those non-admin users to which access was specifically configured: - operations on HAWQ catalog -- HAWQ catalog-related built-in functions - `CREATE CAST` command when function is NULL - `CREATE DATABASE`, `DROP DATABASE`, `createdb`, `dropdb` - `hawq filespace` - `CREATE`, `DROP`, or `ALTER` commands for resource queues - `CREATE ROLE`, `DROP ROLE`, `SET ROLE`, `createuser`, `dropuser` - `CREATE TABLESPACE`, `DROP TABLESPACE` (Ranger does manage authorization for creating tables and indexes _within_ an existing tablespace.) +- HAWQ catalog-related built-in functions such as pg\_logdir\_ls, pg\_ls\_dir, pg\_read\_file, pg\_reload\_conf, pg\_rotate\_logfile, pg\_signal\_backend, pg\_start\_backup, pg\_stat\_file, pg\_stat\_get\_activity, pg\_stat\_get\_backend\_activity\_start, pg\_stat\_get\_backend\_activity, pg\_stat\_get\_backend\_client\_addr, pg\_stat\_get\_backend\_client\_port, pg\_stat\_get\_backend\_start, pg\_stat\_get\_backend\_waiting, pg\_stop\_backup, pg\_switch\_xlog, and pg\_stat\_reset. + The following SQL operations do not require any authorization checks:
