[ https://issues.apache.org/jira/browse/HAWQ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15422443#comment-15422443 ]
Lili Ma commented on HAWQ-256: ------------------------------ [~bosco][~vineetgoel][~lei_chang][~hubertzhang][~wenlin] Another thing we need to discuss is whether we support user send "GRANT" SQL besides setting policy in Ranger. If we also support Grant SQL, there is a minor difference between the "with grant option" of Grant SQL and what inside Ranger UI. We need to discuss it clear. Ranger has one button "Delegate Admin" when defining policy, this is different from what HAWQ grant SQL specifies. That button in Ranger means the Ranger internal user has the privileges to operate the given path/object and assign someone else the rights for the objects. That button has no influence on Ranger external user, say, HAWQ internal user. For example, if we add a policy specifying user A has the privileges to select a table T and click on the button and user A is Ranger internal user, then user A has the right to log into Ranger and assign the insert/select privileges for table T to user B. The grant SQL with grant option means that the to-be-granted user has the privilege to grant certain privileges to other users. If the grant privilege specifies just select, then user A can't grant insert privilege to user B. So this is minor different from what Ranger has already provided. If we allow grant/revoke SQL from HAWQ, we need to add "grant" as an action option to the resource. Action option means for each action, it has an attribute which indicates whether this action can be granted by the user. For example, admin grant two privileges: "grant select on t1 to u1" "grant insert on t1 to u1 with grant option" Then u1 grant privilege to u2 "grant select on t1 to u2" result: failed! grant insert on t1 to u2" result: succeed! As a result, u2 can insert on t1, but it cannot select on t1. Correspondingly, in Ranger, we have the following policies(* means with grant privilege): t1 u1 insert*select t1 u2 insert So the conclusion is that we need double the privileges for defining "with grant option" if we want to support Grant/Revoke SQL from HAWQ side. > Integrate Security with Apache Ranger > ------------------------------------- > > Key: HAWQ-256 > URL: https://issues.apache.org/jira/browse/HAWQ-256 > Project: Apache HAWQ > Issue Type: New Feature > Components: PXF, Security > Reporter: Michael Andre Pearce (IG) > Assignee: Lili Ma > Fix For: backlog > > Attachments: HAWQRangerSupportDesign.pdf > > > Integrate security with Apache Ranger for a unified Hadoop security solution. -- This message was sent by Atlassian JIRA (v6.3.4#6332)