[
https://issues.apache.org/jira/browse/HAWQ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15422443#comment-15422443
]
Lili Ma edited comment on HAWQ-256 at 8/16/16 8:51 AM:
-------------------------------------------------------
[~bosco] [~vineetgoel] [~lei_chang] [~hubertzhang] [~wenlin]
Another thing we need to discuss is whether we support user send "GRANT" SQL
besides setting policy in Ranger. If we also support Grant SQL, there is a
minor difference between the "with grant option" of Grant SQL and what inside
Ranger UI. We need to discuss it clear.
Ranger has one button "Delegate Admin" when defining policy, this is different
from what HAWQ grant SQL specifies.
That button in Ranger means the Ranger internal user has the privileges to
operate the given path/object and assign someone else the rights for the
objects. That button has no influence on Ranger external user, say, HAWQ
internal user. For example, if we add a policy specifying user A has the
privileges to select a table T and click on the button and user A is Ranger
internal user, then user A has the right to log into Ranger and assign the
insert/select privileges for table T to user B.
The grant SQL with grant option means that the to-be-granted user has the
privilege to grant certain privileges to other users. If the grant privilege
specifies just select, then user A can't grant insert privilege to user B. So
this is minor different from what Ranger has already provided.
If we allow grant/revoke SQL from HAWQ, we need to add "grant" as an action
option to the resource. Action option means for each action, it has an
attribute which indicates whether this action can be granted by the user.
For example, admin grant two privileges:
"grant select on t1 to u1"
"grant insert on t1 to u1 with grant option"
Then u1 grant privilege to u2
"grant select on t1 to u2" result: failed!
grant insert on t1 to u2" result: succeed!
As a result, u2 can insert on t1, but it cannot select on t1.
Correspondingly, in Ranger, we have the following policies(* means with grant
privilege):
t1 u1 insert*select
t1 u2 insert
So the conclusion is that we need double the privileges for defining "with
grant option" if we want to support Grant/Revoke SQL from HAWQ side.
was (Author: lilima):
[~bosco][~vineetgoel][~lei_chang][~hubertzhang][~wenlin]
Another thing we need to discuss is whether we support user send "GRANT" SQL
besides setting policy in Ranger. If we also support Grant SQL, there is a
minor difference between the "with grant option" of Grant SQL and what inside
Ranger UI. We need to discuss it clear.
Ranger has one button "Delegate Admin" when defining policy, this is different
from what HAWQ grant SQL specifies.
That button in Ranger means the Ranger internal user has the privileges to
operate the given path/object and assign someone else the rights for the
objects. That button has no influence on Ranger external user, say, HAWQ
internal user. For example, if we add a policy specifying user A has the
privileges to select a table T and click on the button and user A is Ranger
internal user, then user A has the right to log into Ranger and assign the
insert/select privileges for table T to user B.
The grant SQL with grant option means that the to-be-granted user has the
privilege to grant certain privileges to other users. If the grant privilege
specifies just select, then user A can't grant insert privilege to user B. So
this is minor different from what Ranger has already provided.
If we allow grant/revoke SQL from HAWQ, we need to add "grant" as an action
option to the resource. Action option means for each action, it has an
attribute which indicates whether this action can be granted by the user.
For example, admin grant two privileges:
"grant select on t1 to u1"
"grant insert on t1 to u1 with grant option"
Then u1 grant privilege to u2
"grant select on t1 to u2" result: failed!
grant insert on t1 to u2" result: succeed!
As a result, u2 can insert on t1, but it cannot select on t1.
Correspondingly, in Ranger, we have the following policies(* means with grant
privilege):
t1 u1 insert*select
t1 u2 insert
So the conclusion is that we need double the privileges for defining "with
grant option" if we want to support Grant/Revoke SQL from HAWQ side.
> Integrate Security with Apache Ranger
> -------------------------------------
>
> Key: HAWQ-256
> URL: https://issues.apache.org/jira/browse/HAWQ-256
> Project: Apache HAWQ
> Issue Type: New Feature
> Components: PXF, Security
> Reporter: Michael Andre Pearce (IG)
> Assignee: Lili Ma
> Fix For: backlog
>
> Attachments: HAWQRangerSupportDesign.pdf
>
>
> Integrate security with Apache Ranger for a unified Hadoop security solution.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
