[
https://issues.apache.org/jira/browse/HAWQ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15376472#comment-15376472
]
Lili Ma edited comment on HAWQ-256 at 7/14/16 7:19 AM:
-------------------------------------------------------
[~bosco] Thanks for your answer :)
1. Yes, it's good for Ranger to import user list from component. Why I expose
this question is that I noticed that Ranger has provided a function "Add New
User" under tab "Settings/Users/Groups". Does it mean Ranger also supports
creating user in Ranger itself?
2. Grant privilege from just one side is relatively easy and clear. What we
need to discuss is which side we allow granting privilege, HAWQ, or Ranger? As
you said, HAWQ side is a good choice since there's no change in admin behavior.
3. I also thinks it would be simple if we don't consider Ranger down or Ranger
not exist problem. What about the scenarios that user don't intend to install
Ranger? Are users are all fine with Ranger? Currently the ACL information is
stored in HAWQ catalog. Shall we remove the catalog information if we provide
Ranger support?
4. Yes, LDAP/AD is a potential good solution for us :)
5. So In Hive and HBase, the grant operations are all done in the database side
instead of Ranger side. Right? In this page it seems that Ranger admin console
also supports creating a new policy from UI? Please correct me if my
understanding is wrong.
https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide
Actually, we are investigating and aiming at drafting a design doc. Will attach
the design doc to this JIRA once done.
was (Author: lilima):
[~bosco] Thanks for your answer :)
1. Yes, it's good for Ranger to import user list from component. Why I expose
this question is that I noticed that Ranger has provided a function "Add New
User" under tab "Settings/Users/Groups". Does it mean Ranger also supports
creating user in Ranger itself?
2. Grant privilege from just one side is relatively easy and clear. What we
need to discuss is which side we allow granting privilege, HAWQ, or Ranger? As
you said, HAWQ side is a good choice since there's no change in admin behavior.
3. I also thinks it would be simple if we don't consider Ranger down or Ranger
not exist problem. What about the scenarios that user don't intend to install
Ranger? Are users are all fine with Ranger? Currently the ACL information is
stored in HAWQ catalog. Shall we remove the catalog information if we provide
Ranger support?
4. Yes, LDAP/AD is a potential good solution for us :)
5. So In Hive and HBase, the grant operations are all done in the database side
instead of Ranger side. Right? In this page it seems that Ranger admin console
also supports creating a new policy from UI? Please correct me if my
understanding is wrong.
Actually, we are investigating and aiming at drafting a design doc. Will attach
the design doc to this JIRA once done.
> Integrate Security with Apache Ranger
> -------------------------------------
>
> Key: HAWQ-256
> URL: https://issues.apache.org/jira/browse/HAWQ-256
> Project: Apache HAWQ
> Issue Type: New Feature
> Components: PXF, Security
> Reporter: Michael Andre Pearce (IG)
> Assignee: Lili Ma
> Fix For: backlog
>
>
> Integrate security with Apache Ranger for a unified Hadoop security solution.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
