from non-superuser on TABLESPACE

Ruilong Huo (JIRA) Wed, 07 Oct 2015 23:44:39 -0700

     [ 
https://issues.apache.org/jira/browse/HAWQ-24?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Ruilong Huo updated HAWQ-24:
----------------------------
    Description: 
It raises error "Cannot support GRANT/REVOKE on TABLESPACE statement" while 
following the HAWQ guide 
(http://hawq.docs.pivotal.io/docs-gpdb/admin_guide/ddl/ddl-tablespace.html) to 
GRANT/REVOKE CREATION privilege to/from non-superuser on TABLESPACE.

{code}
gpadmin=# GRANT CREATE ON TABLESPACE fstbs TO tstuser;
ERROR:  Cannot support GRANT/REVOKE on TABLESPACE statement
{code}

As a consequence, with the user as SUPERUSER is possible to create tables on 
top of the tablespace, but with a user as NOSUPERUSER its not possible:

{code}
tstuser=> CREATE TABLE testfs3 ( col01 INTEGER ) TABLESPACE fstbs;
NOTICE:  Table doesn't have 'DISTRIBUTED BY' clause -- Using column named 
'col01' as the Greenplum Database data distribution key for this table.
HINT:  The 'DISTRIBUTED BY' clause determines the distribution of data. Make 
sure column(s) chosen are the optimal data distribution key to minimize skew.
ERROR:  permission denied for tablespace fstbs
{code}
 
{code}
gpadmin=# alter user tstuser with superuser;
ALTER ROLE

[gpadmin@ai2hdm1 ~]$ psql -d tstuser -U tstuser
Password for user tstuser: 
psql (8.2.15)
Type "help" for help.

tstuser=# CREATE TABLE testfs3 ( col01 INTEGER ) TABLESPACE fstbs;
NOTICE:  Table doesn't have 'DISTRIBUTED BY' clause -- Using column named 
'col01' as the Greenplum Database data distribution key for this table.
HINT:  The 'DISTRIBUTED BY' clause determines the distribution of data. Make 
sure column(s) chosen are the optimal data distribution key to minimize skew.
CREATE TABLE
{code}

Due to security consideration, it is not acceptable for some HAWQ users to 
always use SUPERUSER to create TABLESPACE.  Thus, we need to support:
1. Superuser can GRANT/REVOKE CREATION privilege to/from non-superuser on 
TABLESPACE.
2. Non-supuser can create TABLESPACE once it is granted with creation privilege.
3. Non-superuser to GRANT/REVOKE CREATION privilege on TABLESPACE to other 
users.

  was:
It raises error "Cannot support GRANT/REVOKE on TABLESPACE statement" while 
following the HAWQ guide 
(http://hawq.docs.pivotal.io/docs-gpdb/admin_guide/ddl/ddl-tablespace.html) to 
GRANT/REVOKE CREATION privilege to/from non-superuser on TABLESPACE.

{code}
gpadmin=# GRANT CREATE ON TABLESPACE fstbs TO tstuser;
ERROR:  Cannot support GRANT/REVOKE on TABLESPACE statement
{code}

As a consequence, with the user as SUPERUSER is possible to create tables on 
top of the tablespace, but with a user as NOSUPERUSER its not possible:

{code}
tstuser=> CREATE TABLE testfs3 ( col01 INTEGER ) TABLESPACE fstbs;
NOTICE:  Table doesn't have 'DISTRIBUTED BY' clause -- Using column named 
'col01' as the Greenplum Database data distribution key for this table.
HINT:  The 'DISTRIBUTED BY' clause determines the distribution of data. Make 
sure column(s) chosen are the optimal data distribution key to minimize skew.
ERROR:  permission denied for tablespace fstbs
{code}
 
{code}
gpadmin=# alter user tstuser with superuser;
ALTER ROLE

[gpadmin@ai2hdm1 ~]$ psql -d tstuser -U tstuser
Password for user tstuser: 
psql (8.2.15)
Type "help" for help.

tstuser=# CREATE TABLE testfs3 ( col01 INTEGER ) TABLESPACE fstbs;
NOTICE:  Table doesn't have 'DISTRIBUTED BY' clause -- Using column named 
'col01' as the Greenplum Database data distribution key for this table.
HINT:  The 'DISTRIBUTED BY' clause determines the distribution of data. Make 
sure column(s) chosen are the optimal data distribution key to minimize skew.
CREATE TABLE
{code}

Due to security consideration, it is not acceptable for some HAWQ users to 
always use SUPERUSER to create TABLESPACE.  Thus, we need to support:
1. Superuser can GRANT/REVOKE CREATION privilege to/from non-superuser on 
TABLESPACE.
2. Non-supuser can create TABLESPACE once it is granted with creation privilege.


> Support superuser to GRANT/REVOKE CREATION privilege to/from non-superuser on 
> TABLESPACE
> ----------------------------------------------------------------------------------------
>
>                 Key: HAWQ-24
>                 URL: https://issues.apache.org/jira/browse/HAWQ-24
>             Project: Apache HAWQ
>          Issue Type: New Feature
>          Components: DDL, Storage
>            Reporter: Ruilong Huo
>            Assignee: Lei Chang
>
> It raises error "Cannot support GRANT/REVOKE on TABLESPACE statement" while 
> following the HAWQ guide 
> (http://hawq.docs.pivotal.io/docs-gpdb/admin_guide/ddl/ddl-tablespace.html) 
> to GRANT/REVOKE CREATION privilege to/from non-superuser on TABLESPACE.
> {code}
> gpadmin=# GRANT CREATE ON TABLESPACE fstbs TO tstuser;
> ERROR:  Cannot support GRANT/REVOKE on TABLESPACE statement
> {code}
> As a consequence, with the user as SUPERUSER is possible to create tables on 
> top of the tablespace, but with a user as NOSUPERUSER its not possible:
> {code}
> tstuser=> CREATE TABLE testfs3 ( col01 INTEGER ) TABLESPACE fstbs;
> NOTICE:  Table doesn't have 'DISTRIBUTED BY' clause -- Using column named 
> 'col01' as the Greenplum Database data distribution key for this table.
> HINT:  The 'DISTRIBUTED BY' clause determines the distribution of data. Make 
> sure column(s) chosen are the optimal data distribution key to minimize skew.
> ERROR:  permission denied for tablespace fstbs
> {code}
>  
> {code}
> gpadmin=# alter user tstuser with superuser;
> ALTER ROLE
> [gpadmin@ai2hdm1 ~]$ psql -d tstuser -U tstuser
> Password for user tstuser: 
> psql (8.2.15)
> Type "help" for help.
> tstuser=# CREATE TABLE testfs3 ( col01 INTEGER ) TABLESPACE fstbs;
> NOTICE:  Table doesn't have 'DISTRIBUTED BY' clause -- Using column named 
> 'col01' as the Greenplum Database data distribution key for this table.
> HINT:  The 'DISTRIBUTED BY' clause determines the distribution of data. Make 
> sure column(s) chosen are the optimal data distribution key to minimize skew.
> CREATE TABLE
> {code}
> Due to security consideration, it is not acceptable for some HAWQ users to 
> always use SUPERUSER to create TABLESPACE.  Thus, we need to support:
> 1. Superuser can GRANT/REVOKE CREATION privilege to/from non-superuser on 
> TABLESPACE.
> 2. Non-supuser can create TABLESPACE once it is granted with creation 
> privilege.
> 3. Non-superuser to GRANT/REVOKE CREATION privilege on TABLESPACE to other 
> users.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (HAWQ-24) Support superuser to GRANT/REVOKE CREATION privilege to/from non-superuser on TABLESPACE

Reply via email to